freemyipod.org wiki https://freemyipod.org/wiki/Main_Page MediaWiki 1.31.0 first-letter Media Special Talk User User talk freemyipod.org freemyipod.org talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk 6 29 108 2008-11-02T22:36:16Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 30 109 2008-11-02T22:36:27Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 31 110 2008-11-02T22:36:37Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 32 111 2008-11-02T22:36:50Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 33 112 2008-11-02T22:37:03Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 34 113 2008-11-02T22:37:12Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 35 114 2008-11-02T22:37:24Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 36 115 2008-11-02T22:37:36Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 37 116 2008-11-02T22:37:51Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 38 117 2008-11-02T22:38:06Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 39 118 2008-11-02T22:38:22Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 40 119 2008-11-02T22:38:33Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 2 170 2008-11-04T01:30:30Z Cmwslw 1 uploaded a new version of "[[Image:Beginner.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 18 171 2008-11-04T01:31:18Z Cmwslw 1 uploaded a new version of "[[Image:Download.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 14 172 2008-11-04T01:32:07Z Cmwslw 1 uploaded a new version of "[[Image:Buildinstructions.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 12 173 2008-11-04T01:32:48Z Cmwslw 1 uploaded a new version of "[[Image:Programs.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 10 174 2008-11-04T01:33:20Z Cmwslw 1 uploaded a new version of "[[Image:Documentation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6 175 2008-11-04T01:33:45Z Cmwslw 1 uploaded a new version of "[[Image:Vcc.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 5 176 2008-11-04T01:34:20Z Cmwslw 1 uploaded a new version of "[[Image:Tutorials.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 4 177 2008-11-04T01:34:52Z Cmwslw 1 uploaded a new version of "[[Image:Resources.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 3 178 2008-11-04T01:35:36Z Cmwslw 1 uploaded a new version of "[[Image:Check.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 50 1385 2009-02-24T00:02:51Z 68.59.238.111 0 New page: This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the pro... wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active irc channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow hosting. I am using a free service until I can set up my own server. --This wiki [[About]] --The iPod [[Modes]] [[Firmware]] 5b2138f1b98436b2daabfc90c422ce96e1ecd1f0 1387 1385 2009-02-24T00:16:19Z 68.59.238.111 0 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active irc channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==The iPod== [[Modes]] [[Firmware]] 0186ac41ca7e3989e06064fcf47030ce9256e3a1 1391 1387 2009-02-24T00:47:44Z 68.59.238.111 0 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active irc channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==The iPod== [[Modes]] [[Firmware]] b18f57d038b01002f281cb54f881a8d96cbaee6a 1469 1391 2009-02-26T23:57:57Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active irc channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==The iPod== [[Modes]] [[Dumping firmware]] [[Firmware]] 7e65a8148b31132d1d4363ae865c4c9638fb4304 1470 1469 2009-02-27T00:44:33Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active irc channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==The iPod== [[Modes]] [[Hardware]] [[Dumping firmware]] [[Firmware]] 76bd04cdf1b59c5e6dc35af1827b68c58abb1e13 1473 1470 2009-02-27T02:08:34Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active irc channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==The iPod== [[Modes]] [[Hardware]] [[Dumping firmware]] [[Extracting firmware]] [[Firmware]] ed4508231a14ec48c2b48bc4dfc295091880c0ff 0 52 1390 2009-02-24T00:47:22Z 68.59.238.111 0 New page: The 2G Nano has two special modes that it can boot into called disk mode and DFU mode ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is burned into the pro... wikitext text/x-wiki The 2G Nano has two special modes that it can boot into called disk mode and DFU mode ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is burned into the processor's bootrom, so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the flash chips. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMogo and the newer iPods. DFU mode is also flashed in the processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. c4aaa70f661a64a0446318c34c0a87c1493f1d2a 1392 1390 2009-02-24T00:53:07Z 68.59.238.111 0 wikitext text/x-wiki The 2G Nano has two special modes that it can boot into called disk mode and DFU mode ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is burned into the processor's bootrom, so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the flash chips. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMogo and the newer iPods. DFU mode is also flashed in the processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ ff0d786905a9f0d989006a78381d884c21bececd 1431 1392 2009-02-24T22:34:32Z 84.56.163.246 0 /* Disk mode */ wikitext text/x-wiki The 2G Nano has two special modes that it can boot into called disk mode and DFU mode ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMogo and the newer iPods. DFU mode is also flashed in the processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ c42a35c9444a0b68561bbe0d59218af9fdddbb8e 1432 1431 2009-02-24T22:37:10Z 84.56.163.246 0 /* DFU mode */ wikitext text/x-wiki The 2G Nano has two special modes that it can boot into called disk mode and DFU mode ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a nano 2G in DFU mode, not even iTunes can do that. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ 52c74074d37f7e23d3d78c3bb0ee7c30c7b9094b 1435 1432 2009-02-24T22:55:55Z 85.53.162.48 0 /* DFU mode */ wikitext text/x-wiki The 2G Nano has two special modes that it can boot into called disk mode and DFU mode ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 4g=== # Power off ipod holding play. # Screen will go black. # Plug ipod to your computer # Hold on using top switch and hold off # Keep pressing menu button and select (central) button simultaneously. # Screen will go black, shortly apple logo will appear. # Keep on pressing till apple logo turns into black screen. This is about 10 seconds. # Release menu and select buttons. You should see this device on you usb listing: <pre> Bus xxx Device YYY: ID 05ac:1225 Apple, Inc. </pre> ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ 81debc490728d621e35ed81324ebaf809d60d01e 1436 1435 2009-02-24T22:57:39Z 84.56.163.246 0 /* Getting DFU mode on 4g */ wikitext text/x-wiki The 2G Nano has two special modes that it can boot into called disk mode and DFU mode ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3g/4g=== # Power off ipod holding play. # Screen will go black. # Plug ipod to your computer # Hold on using top switch and hold off (not needed?) # Keep pressing menu button and select (central) button simultaneously. # Screen will go black, shortly apple logo will appear. # Keep on pressing till apple logo turns into black screen. This is about 10 seconds. # Release menu and select buttons. You should see this device on you usb listing: <pre> Bus xxx Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus xxx Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ b25ecd812e0113dffe8dca8b49b5dc5398be435e 1437 1436 2009-02-24T22:58:43Z 84.73.67.214 0 wikitext text/x-wiki The 2G Nano has two special modes that it can boot into called disk mode and DFU mode ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3g/4g=== # Power off ipod holding play. # Screen will go black. # Plug ipod to your computer # Hold on using top switch and hold off (not needed?) # Keep pressing menu button and select (central) button simultaneously. # Screen will go black, shortly apple logo will appear. # Keep on pressing till apple logo turns into black screen. This is about 10 seconds. # Release menu and select buttons. You should see this device on you usb listing: <pre> Bus xxx Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus xxx Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> ===Debug mode=== Will give quite a lot info about your iPod ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ 4dafc03ef10c2e0036c4ce36e1e5bb4905d47e15 1443 1437 2009-02-25T02:32:53Z 68.59.238.111 0 wikitext text/x-wiki The 2G Nano has two special modes that it can boot into called disk mode and DFU mode ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3g/4g=== # Power off ipod holding play. # Screen will go black. # Plug ipod to your computer # Hold on using top switch and hold off (not needed?) # Keep pressing menu button and select (central) button simultaneously. # Screen will go black, shortly apple logo will appear. # Keep on pressing till apple logo turns into black screen. This is about 10 seconds. # Release menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> ===Debug (diagnostics) mode=== Will give quite a lot info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ 64be2f17bd9138cc7b393fbfbe7adabea2adaca0 1444 1443 2009-02-25T02:37:10Z 68.59.238.111 0 wikitext text/x-wiki The 2G Nano has special modes that it can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3g/4g=== # Power off ipod holding play. # Screen will go black. # Plug ipod to your computer # Hold on using top switch and hold off (not needed?) # Keep pressing menu button and select (central) button simultaneously. # Screen will go black, shortly apple logo will appear. # Keep on pressing till apple logo turns into black screen. This is about 10 seconds. # Release menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> ==Debug (diagnostics) mode== Will give quite a lot info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ 6313a109c53a5acda7bcda56b61a78e29cc736e6 1445 1444 2009-02-25T03:03:11Z 68.59.238.111 0 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3g/4g=== # Power off ipod holding play. # Screen will go black. # Plug ipod to your computer # Hold on using top switch and hold off (not needed?) # Keep pressing menu button and select (central) button simultaneously. # Screen will go black, shortly apple logo will appear. # Keep on pressing till apple logo turns into black screen. This is about 10 seconds. # Release menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ 0d6479721d4fa70c2f163f527bb4d7c4304450e2 1458 1445 2009-02-25T10:59:29Z 68.59.238.111 0 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3g/4g=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ 3285e848ecdf5191f1522cf1c308d3ce29a511dc 1459 1458 2009-02-25T11:02:18Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ a4c7acb2653db0b1da63dafcfd12bd646ea8015d 1460 1459 2009-02-25T11:18:58Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf 33b3bf2d5c1d0404b14fe50ddd5a5ff6c2921683 1461 1460 2009-02-25T11:19:12Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf e1554746075544ac49feafc44ac158d68b998366 1472 1461 2009-02-27T02:04:11Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf b87687ddc7e22dfdae0e0ca10f902bb9d4d26be9 1474 1472 2009-02-27T09:53:44Z 147.210.8.12 0 /* Disk mode */ wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf fa8040343fb4cec5fb71c176a654425cb23884ff 1476 1474 2009-02-27T09:59:16Z Fleury 2 /* Disk mode */ wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf 89d9d4acc5036fdd0cea94bddd69f8d02187d5db 0 53 1465 2009-02-25T23:14:34Z Cmwslw 1 New page: The first step to examining iPod's firmware is getting an image of it. ---Under Linux--- Getting a firmware dump is very easy in Linux. Just: Make sure the iPod is plugged in. Type "dd i... wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. ---Under Linux--- Getting a firmware dump is very easy in Linux. Just: Make sure the iPod is plugged in. Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ---Under Windows--- 8f47a6cca0c4a9303c4938dc29f35cb74e9324db 1466 1465 2009-02-26T23:32:01Z Cmwslw 1 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ===From the iPod=== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ===From the internet=== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: '''For 1G - 3G Nanos:''' {| class="wikitable" | Filename || Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes |} ab1c2377169968c0a7a8c82204853c4a6f978d2c 1467 1466 2009-02-26T23:55:16Z Cmwslw 1 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ===From the iPod=== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ===From the internet=== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: '''For 1G - 3G Nanos:''' {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} '''The 4G Nanos seem to have a different structure with an interesting new file:''' {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". It is now very likely that the iPod uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhones and iPod Touch's. A key could be hidden in here. |} e10b1689d20ea61a06a8b6e821314e2318b85108 1468 1467 2009-02-26T23:56:39Z Cmwslw 1 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ===From the iPod=== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ===From the internet=== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: '''For 1G - 3G Nanos:''' {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} '''The 4G Nanos seem to have a different structure with an interesting new file:''' {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". It is now very likely that the iPod uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhones and iPod Touch's. A key could be hidden in here. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. 4990bafdae140f4565909214e4f0397ee16d330a 0 54 1471 2009-02-27T00:45:32Z Cmwslw 1 New page: 1G Nano: 2G Nano: 3G Nano: 4G Nano: wikitext text/x-wiki 1G Nano: 2G Nano: 3G Nano: 4G Nano: 0c5eba0abdca950b03acad90f479ab1ad950f366 6 55 1475 2009-02-27T09:57:55Z Fleury 2 Key Combination to enter Disk mode (courtesy to iPodLinux project) wikitext text/x-wiki Key Combination to enter Disk mode (courtesy to iPodLinux project) 79ae49e1e8896e5bb2a58c2ed50828de6951f23e 0 56 1477 2009-02-27T23:53:59Z 68.60.193.59 0 New page: This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. 88c7338e891c3f3c5224a918bfb1f611cde66560 1483 1477 2009-02-28T00:22:17Z Cmwslw 1 wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. ==Helpful Pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf d9b3032ab57d6bd9fcb5e3f8964402c7c4c8d9b8 1484 1483 2009-02-28T00:22:42Z Cmwslw 1 wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf b8b56d4ff4fd181b155abb3a9de6a1516e7cc731 1502 1484 2009-02-28T22:54:37Z Cmwslw 1 wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 1e28592d5b3955027c2df354dfea29cd3503891c 1503 1502 2009-02-28T22:55:05Z Cmwslw 1 wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware cc32b22d1e02d60d4cd74222da366ad27bd63436 1538 1503 2009-03-09T01:31:19Z Cmwslw 1 wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware partition of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png]] ==rsrc== This is the filesystem of the iPod. It is unencrypted and of not much use to this project. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 20870b925c733fcfdbc67effcb7d2289c7492ecc 1542 1538 2009-03-09T19:17:16Z 66.18.62.36 0 wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware partition of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the filesystem of the iPod. It is unencrypted and of not much use to this project. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 0ffbf82e8b7625580df9d9b45b46b14bacd0ebf8 0 57 1478 2009-02-28T00:07:46Z Cmwslw 1 New page: The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary ... wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos (6G Classic?) as of Feb. 2009. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> e3dfe3e084269647c0f7390702a6a053c782b6f3 1486 1478 2009-02-28T00:23:29Z Cmwslw 1 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos (6G Classic?) as of Feb. 2009. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf f641eeacf209dccd9e540f38f4f9c59e777c5c53 1505 1486 2009-02-28T22:55:45Z Cmwslw 1 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos (6G Classic?) as of Feb. 2009. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware f7a6d6a872adbf86d0812bf8d580531a8750a4dd 1544 1505 2009-03-09T22:52:06Z Cmwslw 1 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware e5cb5df2d7138a6957d65fcbe7d6c617b4c5afd9 0 50 1479 1473 2009-02-28T00:09:42Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active irc channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==The iPod== [[Modes]] [[Hardware]] [[Dumping firmware]] [[Extracting firmware]] [[Firmware]] 2ecf98b8b8cabefd2e4bb90eb2569e7f5895a846 1480 1479 2009-02-28T00:10:10Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==The iPod== [[Modes]] [[Hardware]] [[Dumping firmware]] [[Extracting firmware]] [[Firmware]] 20d3c0c24d20f6af63185fe417d5306b94aed2d3 1481 1480 2009-02-28T00:11:30Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==iPod Firmware== [[Firmware]] [[Dumping firmware]] [[Extracting firmware]] ==iPod Hardware== [[Hardware]] [[Modes]] c3bd722304b5c0b5aa4e78dc9f53d70f3fa0b58b 1506 1481 2009-03-01T02:59:28Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==iPod Firmware== [[Firmware]] [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ==iPod Hardware== [[Hardware]] [[Modes]] [[Chronology]] 3477f8c82a21bb087acdad4b8bd927dca2704d4c 1524 1506 2009-03-04T01:04:25Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. ==This wiki== [[About]] ==iPod Firmware== [[Firmware]] [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] [[Bootstrapping sequence]] ==iPod Hardware== [[Hardware]] [[Modes]] [[Chronology]] 2183d2e6ae4d64f267bb46fadfc200edac867c2a 1528 1524 2009-03-09T00:08:43Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. ==This wiki== [[About]] ==iPod Firmware== [[Firmware]] [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] [[Bootstrapping sequence]] ==iPod Hardware== [[Hardware]] [[Modes]] [[Chronology]] 87b2cd8f5268ab92b2e10106da3354768ea4ce32 1529 1528 2009-03-09T00:14:20Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. ==This wiki== [[About]] ==iPod Firmware== [[Firmware]] [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Modes]] [[Chronology]] 5c161d41257e039b9b15e750ecd543f932f90bcf 1543 1529 2009-03-09T21:39:49Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Modes]] [[Chronology]] 783e9d9fac1478dae5e0dfbf8c32074f64e21bf6 0 54 1482 1471 2009-02-28T00:21:10Z Cmwslw 1 wikitext text/x-wiki 1G Nano: 2G Nano: {| class="wikitable" ! Component !! Details |- | CPU | An Apple-branded ARM processor marked 337S3291 8701. It is probably a [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701B05], because the markings share an S for Samsung, and 8701 for the part number. |- | Codec | Another Apple rebranded chip marked APPLE 33850310, probably a Wolfson. Same size and position as previous Wolfson chip. ([http://www.wolfsonmicro.com/products/WM8750/ Wolfson WM8750S]? - unknown source) |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. The data of this chip is decrypted too. See [[#Encryption|Encryption]]. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |- | PM | [http://www.national.com/pf/LM/LM34910.html National's LM34910] switching power supply and [http://www.linear.com/pc/productDetail.jsp?navId=H0,C1,C1003,C1037,C1774,P12292 Linear's LTC4066] for charging the battery off USB power. |} 3G Nano: 4G Nano: 47e10c62ec68d0ba493ffdf42fd99bd336873580 1487 1482 2009-02-28T00:24:22Z Cmwslw 1 wikitext text/x-wiki 1G Nano: 2G Nano: {| class="wikitable" ! Component !! Details |- | CPU | An Apple-branded ARM processor marked 337S3291 8701. It is probably a [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701B05], because the markings share an S for Samsung, and 8701 for the part number. |- | Codec | Another Apple rebranded chip marked APPLE 33850310, probably a Wolfson. Same size and position as previous Wolfson chip. ([http://www.wolfsonmicro.com/products/WM8750/ Wolfson WM8750S]? - unknown source) |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. The data of this chip is decrypted too. See [[#Encryption|Encryption]]. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |- | PM | [http://www.national.com/pf/LM/LM34910.html National's LM34910] switching power supply and [http://www.linear.com/pc/productDetail.jsp?navId=H0,C1,C1003,C1037,C1774,P12292 Linear's LTC4066] for charging the battery off USB power. |} 3G Nano: 4G Nano: ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf fdda0ba48ea5201b3605fe702e2bb9f4aefe1838 1495 1487 2009-02-28T17:06:44Z Cmwslw 1 wikitext text/x-wiki ==1G Nano== ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | An Apple-branded ARM processor marked 337S3291 8701. It is probably a [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701B05], because the markings share an S for Samsung, and 8701 for the part number. |- | Codec | Another Apple rebranded chip marked APPLE 33850310, probably a Wolfson. Same size and position as previous Wolfson chip. ([http://www.wolfsonmicro.com/products/WM8750/ Wolfson WM8750S]? - unknown source) |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. The data of this chip is decrypted too. See [[#Encryption|Encryption]]. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |- | PM | [http://www.national.com/pf/LM/LM34910.html National's LM34910] switching power supply and [http://www.linear.com/pc/productDetail.jsp?navId=H0,C1,C1003,C1037,C1774,P12292 Linear's LTC4066] for charging the battery off USB power. |} ==3G Nano== ==4G Nano== ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf 49693f92280fb55bc5adab9523f6445cf3ad21b3 1496 1495 2009-02-28T17:12:25Z Cmwslw 1 wikitext text/x-wiki ==1G Nano== ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | An Apple-branded ARM processor marked 337S3291 8701. It is probably a [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701B05], because the markings share an S for Samsung, and 8701 for the part number. |- | Codec | Another Apple rebranded chip marked APPLE 33850310, probably a Wolfson. Same size and position as previous Wolfson chip. ([http://www.wolfsonmicro.com/products/WM8750/ Wolfson WM8750S]? - unknown source) |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. The data of this chip is decrypted too. See [[#Encryption|Encryption]]. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |- | PM | [http://www.national.com/pf/LM/LM34910.html National's LM34910] switching power supply and [http://www.linear.com/pc/productDetail.jsp?navId=H0,C1,C1003,C1037,C1774,P12292 Linear's LTC4066] for charging the battery off USB power. |} ==3G Nano== ==4G Nano== ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 67fc8388e0de50790a1441eb121fd7aa6501fecd 1497 1496 2009-02-28T17:12:51Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | |- | Utility Flash ROM | |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | An Apple-branded ARM processor marked 337S3291 8701. It is probably a [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701B05], because the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. The data of this chip is decrypted too. See [[#Encryption|Encryption]]. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | |- | Utility Flash ROM | |- | NAND Flash | |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 15d0590f471d401b93f3b2f73ade9612a971a13a 1498 1497 2009-02-28T18:51:15Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | Utility Flash ROM | |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] The processor itself is an Apple-branded ARM processor marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has managed to extract this data and the dump can be obtained by emailing Emmanuel Fleury. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | Utility Flash ROM | |- | NAND Flash | |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 8b08ba2d569f05e0976f6aa8721b5613689edbbf 1499 1498 2009-02-28T18:51:38Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | Utility Flash ROM | |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] The processor itself is an Apple-branded ARM processor marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has managed to extract this data and the dump can be obtained by emailing Emmanuel Fleury. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | Utility Flash ROM | |- | NAND Flash | |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 37a79806b765b4f8fe0d41cc6d0247fb1684e6ee 1500 1499 2009-02-28T18:57:16Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | Utility Flash ROM | |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] The processor itself is an Apple-branded ARM processor marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has managed to extract this data and the dump can be obtained by emailing Emmanuel Fleury. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | Utility Flash ROM | |- | NAND Flash | |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 987f2ef04a09a9b1c471ba07dd1806687d332e68 1501 1500 2009-02-28T18:58:48Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | Utility Flash ROM | |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] The processor itself is an Apple-branded ARM processor marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has managed to extract this data and the dump can be obtained by emailing Emmanuel Fleury. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | Utility Flash ROM | |- | NAND Flash | |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 322a632bc8e0e73523da8dab7c199f6679d9fc44 1509 1501 2009-03-01T23:15:34Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | Utility Flash ROM | |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] The processor itself is an Apple-branded ARM processor marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has managed to extract this data and the dump can be obtained by emailing Emmanuel Fleury. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | Utility Flash ROM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | NAND Flash | Samsung K9HCG08U5M |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 a6ec61af051cd1de1581ade34bc0a3c0b31dfdf0 1510 1509 2009-03-01T23:28:30Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | Utility Flash ROM | |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] The processor itself is an Apple-branded ARM processor marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | Utility Flash ROM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | NAND Flash | Samsung K9HCG08U5M |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 77687d268a02855b94a232baa0a8baf0bd500044 1511 1510 2009-03-01T23:29:18Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | Utility Flash ROM | |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] The processor itself is an Apple-branded ARM processor marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | NAND Flash | Samsung K9HCG08U5M |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 e091842ce1f3b5ed28fd7f1104f314dbdc2c91a5 1513 1511 2009-03-02T02:24:31Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] The processor itself is an Apple-branded ARM processor marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | NAND Flash | Samsung K9HCG08U5M |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 6ecbaa629be72580b196bef38cb83956df135aa7 1516 1513 2009-03-03T00:57:19Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | NAND Flash | |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | NAND Flash | Depends on the iPod. Common ones are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | NAND Flash | Samsung K9HCG08U5M |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. |- | Utility Flash ROM | |- | NAND Flash | |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 818f9796d0121a27e508f41fb9dfe6dc60c24d4d 1517 1516 2009-03-03T01:09:24Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 e2ee6bb8c92e2c8055a71706ef0422b238e63013 1518 1517 2009-03-03T01:10:34Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. |- | RAM | |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 950e9153e8ada22d1e379b2c2e6f161f98b74cd6 1527 1518 2009-03-09T00:02:27Z 68.59.238.111 0 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 096b0e91e399efd3ce8948e97e3b85b40f41c52f 1530 1527 2009-03-09T00:17:29Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) e55ff865190a04a660e2dec87edb8d4818a40fbc 0 53 1485 1468 2009-02-28T00:23:11Z Cmwslw 1 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ===From the iPod=== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ===From the internet=== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: '''For 1G - 3G Nanos:''' {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} '''The 4G Nanos seem to have a different structure with an interesting new file:''' {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". It is now very likely that the iPod uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhones and iPod Touch's. A key could be hidden in here. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf a6a58e6331b5602b7eab8b03694c5662ac4868c7 1488 1485 2009-02-28T00:25:35Z Cmwslw 1 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: '''For 1G - 3G Nanos:''' {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} '''The 4G Nanos seem to have a different structure with an interesting new file:''' {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". It is now very likely that the iPod uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhones and iPod Touch's. A key could be hidden in here. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf 060dc64f8dddfe886d9119c3bb74dc6bea971604 1489 1488 2009-02-28T03:05:39Z Cmwslw 1 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". It is now very likely that the iPod uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhones and iPod Touch's. A key could be hidden in here. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf 9cfbd4552ff4901b1ce15e0daa95882aa50565fe 1494 1489 2009-02-28T17:05:08Z Cmwslw 1 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. A key could be hidden in here. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf 7c74eab1367fed380e4c8b73ba6ff98a6d5248a2 1504 1494 2009-02-28T22:55:26Z Cmwslw 1 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. A key could be hidden in here. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 5461870fc5a50c4cfb2bd202130d1c87f09f3bb7 0 52 1531 1476 2009-03-09T00:57:56Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Using the dfu-utils=== While in DFU mode, you should be able to read and write the iPod's firmware. The tool that allows this is called dfu-util. On a Debian-based system, it can be obtained by the following command: <pre>apt-get dfu-util</pre> We have not yet been able to extract the firmware off of the iPod via DFU mode. Using this command, the same 64-byte sequence is repeated until the command is aborted. This should be worked on to figure out how to properly read and write the firmware using dfu-util. <pre>dfu-util -t 64 -U ipod</pre> ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf 0ebe519cf2230622a26e393ae81941fef6094b02 1540 1531 2009-03-09T10:23:02Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Using the dfu-utils=== While in DFU mode, you should be able to read and write the iPod's firmware. The tool that allows this is called dfu-util. On a Debian-based system, it can be obtained by the following command: <pre>apt-get dfu-util</pre> We have not yet been able to extract the firmware off of the iPod via DFU mode. Using this command, the same 64-byte sequence is repeated until the command is aborted. This should be worked on to figure out how to properly read and write the firmware using dfu-util. <pre>dfu-util -t 64 -U ipod</pre> ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf a459bbcf673d7ba1f3a452a4ec9377b20f9dff49 6 60 1532 2009-03-09T01:07:12Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 61 1533 2009-03-09T01:07:37Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 62 1534 2009-03-09T01:07:57Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 63 1535 2009-03-09T01:08:18Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 65 1539 2009-03-09T01:33:10Z Cmwslw 1 New page: [[Image:IPod Timeline.png]] wikitext text/x-wiki [[Image:IPod Timeline.png]] 8da7135c6377bf7c3bd5f756ce28a74b293460cf 0 66 1541 2009-03-09T10:23:57Z Cmwslw 1 New page: ==Helpful pages== wikitext text/x-wiki ==Helpful pages== 1c5e3a41693a22c83ee8d13dd3ccd10738dda1cf 0 54 1545 1530 2009-03-10T23:05:24Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 ===2G Nano=== http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 f3f093ebb9061a17f4c3a8557a4d6403fde2250f 1546 1545 2009-03-10T23:07:45Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] ===2G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 7388c15085e3faeca3aeec25b4698372ef18913f 1547 1546 2009-03-10T23:15:18Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] ===2G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://arstechnica.com/apple/reviews/2007/09/the-ipod-gets-a-makeover-a-review-of-the-ipod-nano-and-ipod-classic.ars http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 1a36552187ccf6046c0cdcee9882723fdebb9a61 1549 1547 2009-03-12T00:53:52Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75] 256Mbit (32MByte) Mobile 1.8V DDRAM |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] ===2G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://arstechnica.com/apple/reviews/2007/09/the-ipod-gets-a-makeover-a-review-of-the-ipod-nano-and-ipod-classic.ars http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 a72a812d657654f135f4e19e7df97e2e22b2dc27 1550 1549 2009-03-13T01:29:08Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] ===2G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://arstechnica.com/apple/reviews/2007/09/the-ipod-gets-a-makeover-a-review-of-the-ipod-nano-and-ipod-classic.ars http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 36272f0a0444cca118bba83fa69f2557cec4c275 1551 1550 2009-03-13T02:03:43Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] ===2G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://arstechnica.com/apple/reviews/2007/09/the-ipod-gets-a-makeover-a-review-of-the-ipod-nano-and-ipod-classic.ars http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 06df3531292030d4f6696a0a0367390f96b98edb 1556 1551 2009-03-16T22:43:58Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://arstechnica.com/apple/reviews/2007/09/the-ipod-gets-a-makeover-a-review-of-the-ipod-nano-and-ipod-classic.ars http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 21c354ab80d5f5395699f40ba81b07b0724329e5 1559 1556 2009-03-16T23:12:49Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html http://www.appleinsider.com/articles/07/09/10/a_peek_inside_apples_new_nano_and_classic_ipods_photos.html ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 1b7cfed6bd45d9f5bbc70c0c72616f264349c93d 1560 1559 2009-03-16T23:13:40Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 75098cb8bdd34ab90aa47c1eefe7f35d9e92c456 1561 1560 2009-03-16T23:37:09Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 0bc639ec75258d5880ca9eccb0032d0f6a648e9b 1577 1561 2009-03-19T18:46:19Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702, but the markings share an S for Samsung, and 8702 for the part number. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 8e3277fa4a9dda037be1a498d7d6471eb7dd4ce8 1590 1577 2009-03-19T21:36:40Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - apparently the datasheet can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here]. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. Absolutely no documentation exists for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701, but the markings share an S for Samsung, and 8701 for the part number. |- | Utility Flash ROM | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG/datasheet.pdf here] is the datasheet. This is the same chip used in the previous Nanos. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash ROM | SST25VF080B |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash ROM | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 79c2b1ce5cd52fed49cd92140daaa8c753cf71bd 1591 1590 2009-03-19T21:47:02Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. Absolutely no documentation exists for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 61e3401662649c838060de13c909adb767558261 1592 1591 2009-03-19T21:47:49Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. Absolutely no documentation exists for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. Common ones for the 2G Nano are the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M] and the [http://www.alldatasheet.com/datasheet-pdf/pdf/115161/HYNIX/HY27UF081G2M.html Hynix HY27UW08BGFM]. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. A common one for the 3G Nano is the [http://www.datasheet4u.com/download.php?id=607807 Samsung K9MBG08U5M]. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |- | NAND Flash | This chip is dependent on the iPod model, but all interface in the same way. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 2b76f6fdf9737a93d24ebb3b498b3f0d590adaee 1593 1592 2009-03-19T21:54:24Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. Absolutely no documentation exists for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X561], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 27cd25d28aa0fba30636d01e14e1064348b6640d 1594 1593 2009-03-19T21:56:06Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. Absolutely no documentation exists for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI], a 256Mbit (32MByte) Mobile 1.8V DDRAM. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 6be570acf6de631dc4cce29f1bf0d22982bd7212 1595 1594 2009-03-19T21:57:04Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. Absolutely no documentation exists for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx d8625532b2f63c425c387683b7dc9f82d8ceb87a 1596 1595 2009-03-20T18:20:55Z 68.212.244.12 0 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] ARM940T processor. Absolutely no documentation exists for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx a53e801d277568ebd22e1e5e0af6d1d68a960bd3 1597 1596 2009-03-25T02:57:47Z 80.240.220.238 0 2G CPU and RAM info update wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, DSP (CalmRisc16+MAC2424), 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 9aca08fbe0103643d525b5bbac8ff7f768f7e487 1599 1597 2009-03-25T22:37:26Z 74.235.64.101 0 /* 2G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, DSP (CalmRisc16+MAC2424), 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 3fc7cc2e3ed5267c51bbe609b61325571714971a 1600 1599 2009-03-25T23:39:28Z 74.235.64.101 0 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. '''The datasheet for the S5L8700X series (or at least part of it) has been located!''' You can download it here, but I (cmwslw) will try to get it hosted on my site soon. Even though it might be partial, it describes every pin (page 1-5) and instruction (page 3-1) in detail. We now know the exact locations of the JTAG pins, and a lot of other information about the chip. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, DSP (CalmRisc16+MAC2424), 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 8b028cfe89aad8251a29e3e018429f7dbc8aa595 1601 1600 2009-03-25T23:42:59Z 74.235.64.101 0 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. '''The datasheet for the S5L8700X series (or at least part of it) has been located!''' You can download it [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here] (link from [http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues this Rockbox wiki page]), but I (cmwslw) will try to get it hosted on my site soon. Even though it might be partial, it describes every pin (page 1-5) and instruction (page 3-1) in detail. We now know the exact locations of the JTAG pins, and a lot of other information about the chip. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, DSP (CalmRisc16+MAC2424), 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx d7cbfad569da29bfb7d40b9444e853ff12b5c0a3 1602 1601 2009-03-26T00:18:25Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. '''The datasheet for the S5L8700X series (possibly part of it?) has been located!''' You can download it [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here] (link from [http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues this Rockbox wiki page]), but I (cmwslw) will try to get it hosted on my site soon. Apparently Marcoen Hirschberg added the link on November 25, 2008. We need to contact him and ask where he found it. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. We now know the exact locations of the JTAG pins, and a lot of other information about the chip. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, DSP (CalmRisc16+MAC2424), 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx d5c024302e593ec71819c3d1e1f758845896158b 1603 1602 2009-03-26T00:31:24Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. '''The datasheet for the S5L8700X series (possibly part of it?) has been located!''' You can download it [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here] (link from [http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues this Rockbox wiki page]), but I (cmwslw) will try to get it hosted on my site soon. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. We now know the exact locations of the JTAG pins, and a lot of other information about the chip. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8701] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, DSP (CalmRisc16+MAC2424), 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8702] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=S5L8700 Samsung S5L8720] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 4ae04cf458a1eca3c75c17a67675b8667eed4ee1 0 66 1548 1541 2009-03-11T00:24:07Z Cmwslw 1 wikitext text/x-wiki Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. ==Helpful pages== http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ c34c2ab5371656fa1a75207e8558729b3bb9c8ef 1554 1548 2009-03-13T23:37:33Z Cmwslw 1 wikitext text/x-wiki Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ a2c8724294665c79d4255667239ec9a4dd37a9fe 1555 1554 2009-03-14T00:21:15Z 68.212.244.12 0 wikitext text/x-wiki Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ 02ecfe72c0aae1fc6c5897eb67b3d11b4358fb57 6 64 1552 2009-03-13T23:04:54Z Cmwslw 1 uploaded a new version of "[[Image:IPod Timeline.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 65 1553 1539 2009-03-13T23:26:48Z Cmwslw 1 wikitext text/x-wiki [[Image:IPod Timeline.png]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact hardware that was run on normal iPods. This was a major drain of money for Apple. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the imitators could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== d4ced989edf51d24f072c24bdcb146ffa45e9f30 1557 1553 2009-03-16T22:52:43Z Cmwslw 1 wikitext text/x-wiki [[Image:IPod Timeline.png]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the imitators could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== 34dd65e0e5feeb3d7f408c6ebbdaa2bd22cea2fe 1558 1557 2009-03-16T22:53:29Z Cmwslw 1 wikitext text/x-wiki [[Image:IPod Timeline.png]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== 2134c729bb1595d612420c89525cc90c93a54781 6 67 1562 2009-03-19T00:18:08Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 50 1567 1543 2009-03-19T10:18:41Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[Modes]] [[Chronology]] 5402f2be642ada9412d19726def473c47a369a81 1605 1567 2009-03-26T13:55:59Z 74.235.7.83 0 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[S5L8700 datasheet]] [[Modes]] [[Chronology]] a8c88b27be308667b4ee49d9a2d70749fc4738a5 6 68 1574 2009-03-19T18:32:32Z Cmwslw 1 uploaded a new version of "[[Image:1G frt annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 70 1575 2009-03-19T18:33:35Z Cmwslw 1 uploaded a new version of "[[Image:2G frt annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 69 1576 2009-03-19T18:34:13Z Cmwslw 1 uploaded a new version of "[[Image:2G bck annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 72 1578 2009-03-19T19:52:49Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 73 1579 2009-03-19T19:53:12Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 74 1580 2009-03-19T19:53:33Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 75 1581 2009-03-19T19:54:03Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 255 1607 2009-03-26T20:02:14Z 74.235.64.41 0 New page: The datasheet for the S5L8700X series can be downloaded [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here], but I (cmwslw) will try to get it hosted on my site soon. The dat... wikitext text/x-wiki The datasheet for the S5L8700X series can be downloaded [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here], but I (cmwslw) will try to get it hosted on my site soon. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. The pin locations described in the datasheet are not the actual locations for the [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA] version. The FBGA version pin locations can be found [http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html here], respectively. We could use the datasheet to find the locations of the JTAG pins, but finding where the traces go would be very challenging and require a high-res X-ray of the board. If we could use the datasheet to find a way of reading the 50KB embedded ROM, we would be able to figure out how the firmware is decrypted. ==Helpful pages== http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues e3fba225886439e1b2462a87470477ff95e885d3 1608 1607 2009-03-26T20:13:06Z 74.235.64.41 0 wikitext text/x-wiki The datasheet for the S5L8700X series can be downloaded [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here], but I (cmwslw) will try to get it hosted on my site soon. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. The pin locations described in the datasheet are not the actual locations for the [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA] version. The FBGA version pin locations can be found [http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html here], respectively. We need someone to lift the processor off the board to verify the pin layout and examine the traces below the chip. Perhaps we could use the 2G tof used when he extracted the utility flash? We could use the datasheet to find the locations of the JTAG pins, but finding where the traces go would be very challenging and require a high-res X-ray of the board. If we could use the datasheet to find a way of reading the 50KB embedded ROM, we would be able to figure out how the firmware is decrypted. ==Helpful pages== http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues cae430683daf52e728ab2c273d5c2a2cad171e45 1609 1608 2009-03-26T20:15:30Z 74.235.64.41 0 wikitext text/x-wiki The datasheet for the S5L8700X series can be downloaded [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here], but I (cmwslw) will try to get it hosted on my site soon. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. The pin locations described in the datasheet are not the actual locations for the [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA] version. The FBGA version pin locations can be found [http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html here], respectively. We need someone to lift the processor off the board to verify the pin layout and examine the traces below the chip. Perhaps we could use the 2G tof used when he extracted the utility flash? We could use the datasheet to find the locations of the JTAG pins, but finding where the traces go would be very challenging and require a high-res X-ray of the board. If we could use the datasheet to find a way of reading the 50KB embedded ROM, we would be able to figure out how the firmware is decrypted. A poster on the thread previously mentioned claimed that [http://f4eru.free.fr/SOC%20FBGA%20pins.pdf this] was the actual pin layout of the Nano 2G. ==Helpful pages== http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues 54878caf8d45a3d5130ade2975275bb92ff971b1 1611 1609 2009-03-26T20:24:39Z 74.235.64.41 0 wikitext text/x-wiki The datasheet for the S5L8700X series can be downloaded [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here], but I (cmwslw) will try to get it hosted on my site soon. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. The pin locations described in the datasheet are not the actual locations for the [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA] version. The FBGA version pin locations can be found [http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html here], respectively. We need someone to lift the processor off the board to verify the pin layout and examine the traces below the chip. Perhaps we could use the 2G tof used when he extracted the utility flash? We could use the datasheet to find the locations of the JTAG pins, but finding where the traces go would be very challenging and require a high-res X-ray of the board. If we could use the datasheet to find a way of reading the 50KB embedded ROM, we would be able to figure out how the firmware is decrypted. A poster on the thread previously mentioned claimed that [http://f4eru.free.fr/SOC%20FBGA%20pins.pdf this] was the actual pin layout of the Nano 2G. ==Helpful pages== http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues f9e9a0d55f30a2b00416b8719c07c91979f9dbbe 1612 1611 2009-03-26T20:37:23Z 74.235.64.41 0 wikitext text/x-wiki The datasheet for the S5L8700X series can be downloaded [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here], but I (cmwslw) will try to get it hosted on my site soon. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. The pin locations described in the datasheet are not the actual locations for the [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA] version. The FBGA version pin locations can be found [http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html here], respectively. We need someone to lift the processor off the board to verify the pin layout and examine the traces below the chip. Perhaps we could use the 2G tof used when he extracted the utility flash? We could use the datasheet to find the locations of the JTAG pins, but finding where the traces go would be very challenging and require a high-res X-ray of the board. If we could use the datasheet to find a way of reading the 50KB embedded ROM, we would be able to figure out how the firmware is decrypted. Edit: It has been confirmed that the package is actually a 226-pin FBGA instead of a 232-pin one. Because of this, we do not know the pin layout, and the JTAG pins might have been taken out. A poster on the thread previously confirmed this [http://f4eru.free.fr/SOC%20FBGA%20pins.pdf in his drawing] of the Nano 2G's processor. ==Helpful pages== http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues 5ec544401201ea6808b43776f829b149047023f4 1618 1612 2009-03-27T00:16:17Z Cmwslw 1 wikitext text/x-wiki The datasheet for the S5L8700X series can be downloaded [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here], but I (cmwslw) will try to get it hosted on my site soon. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. ==Package differences== [[Image:8700 ball layout.png|thumb|S5L8700 ball layout (not the iPod's, though)]]The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version. [http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html This forum thread] describes the pinout of another S5L8700 package in another device (see right for ball layout). ==Possible uses== If we could use the datasheet to find a way of reading the 50KB embedded ROM, we would be able to figure out how the firmware is decrypted. Ironically though, if we ''could'' run custom code, we wouldn't neet to read the boot ROM in the first place. So as of now, we have no real use for the datasheet. ==Helpful pages== http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues 2af0721141ecbc741d39d56cf743d1e07de8874d 1619 1618 2009-03-27T00:17:48Z Cmwslw 1 wikitext text/x-wiki The datasheet for the S5L8700X series can be downloaded [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here], but I (cmwslw) will try to get it hosted on my site soon. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. ==Package differences== [[Image:8700 ball layout.png|thumb|S5L8700 ball layout (not the iPod's, though)]]The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version. [http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html This forum thread] describes the pinout of another S5L8700 package in another device (see right for ball layout). ==Possible uses== If we could use the datasheet to find a way of reading the 50KB embedded ROM, we would be able to figure out how the firmware is decrypted. Ironically though, if we ''could'' run custom code, we wouldn't neet to read the boot ROM in the first place. So as of now, we have no real use for the datasheet. Once we do get custom code running on the Nano, the datasheet will be a real help with the porting of Linux. ==Helpful pages== http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues 2a33dcfe0eb946ff7601c195ef9aff92fb5d1056 1 76 1610 2009-03-26T20:23:37Z 80.240.220.238 0 /* DSP */ new section wikitext text/x-wiki you need access to the aes engine. what happens is the bootloader has a "salt", if that is the correct word for it, as I am not a crypto expert, and that is encrypted with the system gid key. the result of that was used as the key, with an IV of 0, to decrypt the firmware files. now, the thing is, this gid key is never loaded into ram, so any time you need to need to utilize it, you need direct access to the aes engine. this means, basically, you need to be able to write to the registers directly, no kernel or anything to get in the way. hopefully this helps, that is how it worked for the iPod touch and iPhone before Apple came out with the new KBAG method, so it should probably give you a push in the right direction. I have no idea how the nano does stuff, so I don't know how feasible this would actually be for you all. [[User:Chronic|Chronic]] 01:50, 26 March 2009 (UTC) == DSP == Can DSP be involved in encrypt-decrypt process? Newer chips sometimes include embedded encryption unit, but n2g's CPU does not - so why dont use DSP. Need more info on "CalmRisc16+MAC2424". edf521d14c5807bf1fe7e79bca574e1f9f41eb3d 6 81 1617 2009-03-27T00:09:43Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 66 1624 1555 2009-03-27T00:43:37Z Cmwslw 1 wikitext text/x-wiki Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ 14697d64b7c4ce99fb6d6ef271a6ccdbed32079c 1641 1624 2009-03-27T13:07:02Z Cmwslw 1 Protected "[[Firmware encryption]]" [edit=autoconfirmed:move=autoconfirmed] wikitext text/x-wiki Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ 14697d64b7c4ce99fb6d6ef271a6ccdbed32079c 0 54 1628 1603 2009-03-27T00:52:30Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. '''The datasheet for the S5L8700X series (possibly part of it?) has been located!''' You can download it [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here] (link from [http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues this Rockbox wiki page]), but I (cmwslw) will try to get it hosted on my site soon. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. We now know the exact locations of the JTAG pins, and a lot of other information about the chip. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, DSP (CalmRisc16+MAC2424), 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx a495e79e7060b570fd7de997e6250845f7719566 1629 1628 2009-03-27T01:25:46Z 80.240.220.238 0 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. '''The datasheet for the S5L8700X series (possibly part of it?) has been located!''' You can download it [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here] (link from [http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues this Rockbox wiki page]), but I (cmwslw) will try to get it hosted on my site soon. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. We now know the exact locations of the JTAG pins, and a lot of other information about the chip. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]]. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx f87262b002d680715290318b4249ab2c3f6458ce 1631 1629 2009-03-27T12:40:18Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. '''The datasheet for the S5L8700X series (possibly part of it?) has been located!''' You can download it [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here] (link from [http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues this Rockbox wiki page]), but I (cmwslw) will try to get it hosted on my site soon. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. We now know the exact locations of the JTAG pins, and a lot of other information about the chip. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]]. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [Hardware annotation]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 82def835c7161a6fafef38413ddc4624e871d708 1632 1631 2009-03-27T12:40:58Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. '''The datasheet for the S5L8700X series (possibly part of it?) has been located!''' You can download it [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here] (link from [http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues this Rockbox wiki page]), but I (cmwslw) will try to get it hosted on my site soon. The datasheet describes every pin (page 1-5) and instruction (page 3-1) in detail. We now know the exact locations of the JTAG pins, and a lot of other information about the chip. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]]. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 0d9136e59e60ac57db82f2b7ed50a495acdc6860 1633 1632 2009-03-27T12:42:35Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]]. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 86f1f199fb809883ba0ae32d2783ab972fe8a2dd 1642 1633 2009-03-27T13:07:22Z Cmwslw 1 Protected "[[Hardware]]" [edit=autoconfirmed:move=autoconfirmed] wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. No documentation available for the S5L series, and contacting Samsung doesn't help either. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]]. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 86f1f199fb809883ba0ae32d2783ab972fe8a2dd 1652 1642 2009-03-27T21:27:23Z A W 5 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]]. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx e8cf583aa2cb2103c61b273883634a33fae7d0bc 0 50 1634 1605 2009-03-27T13:03:56Z Cmwslw 1 Protected "[[Linux4nano Wiki]]" [edit=autoconfirmed:move=autoconfirmed] wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[S5L8700 datasheet]] [[Modes]] [[Chronology]] a8c88b27be308667b4ee49d9a2d70749fc4738a5 1650 1634 2009-03-27T13:18:53Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[S5L8700 datasheet]] [[Modes]] [[Chronology]] e48fa17ea10a9d24989538999e25f5aada19331a 1661 1650 2009-04-19T16:22:00Z Cmwslw 1 moved [[Linux4nano Wiki]] to [[Main Page]] wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. Please excuse the fact that this is on the NXT++ wiki; I can't set up another wiki on my server right now. Please also excuse the slow and unreliable hosting. I am using a free service until I can set up my own server. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[S5L8700 datasheet]] [[Modes]] [[Chronology]] e48fa17ea10a9d24989538999e25f5aada19331a 1663 1661 2009-04-21T02:27:33Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[S5L8700 datasheet]] [[Modes]] [[Chronology]] 318cd137de2c07601f8905516c4a72b9f65d4dbd 1680 1663 2009-05-12T19:02:47Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[S5L8701 analysis]] [[S5L8700 datasheet]] [[Modes]] [[Chronology]] 94c1232c7247d796ab18c433d4b6cbda92457537 0 53 1636 1504 2009-03-27T13:04:56Z Cmwslw 1 Protected "[[Dumping firmware]]" [edit=autoconfirmed:move=autoconfirmed] wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. A key could be hidden in here. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 5461870fc5a50c4cfb2bd202130d1c87f09f3bb7 0 57 1637 1544 2009-03-27T13:05:24Z Cmwslw 1 Protected "[[Extracting firmware]]" [edit=autoconfirmed:move=autoconfirmed] wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware e5cb5df2d7138a6957d65fcbe7d6c617b4c5afd9 0 56 1639 1542 2009-03-27T13:06:29Z Cmwslw 1 Protected "[[Firmware]]" [edit=autoconfirmed:move=autoconfirmed] wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware partition of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the filesystem of the iPod. It is unencrypted and of not much use to this project. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 0ffbf82e8b7625580df9d9b45b46b14bacd0ebf8 1653 1639 2009-03-28T04:13:43Z A W 5 Nano 4g partitions wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware partition of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the filesystem of the iPod. It is unencrypted and of not much use to this project. ==Nano 4g== Nano 4g dont have ''aupd'' partition. Instead, seven new partitions added - appl, chrg, bdhw, diag, bdsw, disk, lbat. Disk and diag partitions possibly contain Disk and Diagnostic modes. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 9765b4f5a0a9ae60d2f0a29ba21880406f916de1 0 255 1644 1619 2009-03-27T13:08:01Z Cmwslw 1 Protected "[[S5L8700 datasheet]]" [edit=autoconfirmed:move=autoconfirmed] wikitext text/x-wiki The datasheet for the S5L8700X series can be downloaded [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here], but I (cmwslw) will try to get it hosted on my site soon. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. ==Package differences== [[Image:8700 ball layout.png|thumb|S5L8700 ball layout (not the iPod's, though)]]The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version. [http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html This forum thread] describes the pinout of another S5L8700 package in another device (see right for ball layout). ==Possible uses== If we could use the datasheet to find a way of reading the 50KB embedded ROM, we would be able to figure out how the firmware is decrypted. Ironically though, if we ''could'' run custom code, we wouldn't neet to read the boot ROM in the first place. So as of now, we have no real use for the datasheet. Once we do get custom code running on the Nano, the datasheet will be a real help with the porting of Linux. ==Helpful pages== http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues 2a33dcfe0eb946ff7601c195ef9aff92fb5d1056 0 52 1645 1540 2009-03-27T13:08:17Z Cmwslw 1 Protected "[[Modes]]" [edit=autoconfirmed:move=autoconfirmed] wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Using the dfu-utils=== While in DFU mode, you should be able to read and write the iPod's firmware. The tool that allows this is called dfu-util. On a Debian-based system, it can be obtained by the following command: <pre>apt-get dfu-util</pre> We have not yet been able to extract the firmware off of the iPod via DFU mode. Using this command, the same 64-byte sequence is repeated until the command is aborted. This should be worked on to figure out how to properly read and write the firmware using dfu-util. <pre>dfu-util -t 64 -U ipod</pre> ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf a459bbcf673d7ba1f3a452a4ec9377b20f9dff49 1659 1645 2009-04-05T20:58:03Z Sarg 6 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Using the dfu-utils=== While in DFU mode, you should be able to read and write the iPod's firmware. The tool that allows this is called dfu-util. On a Debian-based system, it can be obtained by the following command: <pre>apt-get dfu-util</pre> We have not yet been able to extract the firmware off of the iPod via DFU mode. Using this command, the same 64-byte sequence is repeated until the command is aborted. This should be worked on to figure out how to properly read and write the firmware using dfu-util. <pre>dfu-util -t 64 -U ipod</pre> ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf 3d836becbf701265921dc581075a6d49a165d499 1664 1659 2009-04-30T01:16:46Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Using the dfu-utils=== While in DFU mode, you should be able to read and write the iPod's firmware. The tool that allows this is called dfu-util. On a Debian-based system, it can be obtained by the following command: <pre>apt-get dfu-util</pre> We have not yet been able to extract the firmware off of the iPod via DFU mode. Using this command, the same 64-byte sequence is repeated until the command is aborted. This should be worked on to figure out how to properly read and write the firmware using dfu-util. <pre>dfu-util -t 64 -U ipod</pre> ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 6333c04c30337a639df0924ce14017cad4ffe508 1666 1664 2009-04-30T02:12:10Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. Here is an image of the 4G's DFU specifications: [[File:N4G DFU.png]]. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Using the dfu-utils=== While in DFU mode, you should be able to read and write the iPod's firmware. The tool that allows this is called dfu-util. On a Debian-based system, it can be obtained by the following command: <pre>apt-get dfu-util</pre> We have not yet been able to extract the firmware off of the iPod via DFU mode. Using this command, the same 64-byte sequence is repeated until the command is aborted. This should be worked on to figure out how to properly read and write the firmware using dfu-util. <pre>dfu-util -t 64 -U ipod</pre> ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 782bddf30fc060ac9132b80f5a9b21b4d8bac4f9 1667 1666 2009-04-30T02:15:06Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Using the dfu-utils=== While in DFU mode, you should be able to read and write the iPod's firmware. The tool that allows this is called dfu-util. On a Debian-based system, it can be obtained by the following command: <pre>apt-get dfu-util</pre> We have not yet been able to extract the firmware off of the iPod via DFU mode. Using this command, the same 64-byte sequence is repeated until the command is aborted. This should be worked on to figure out how to properly read and write the firmware using dfu-util. <pre>dfu-util -t 64 -U ipod</pre> ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf cdd834636a19e271e7bfa61bea5c1d39b8b0aa54 1668 1667 2009-05-05T12:34:40Z Cmwslw 1 /* Using the dfu-utils */ wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Using the dfu-utils=== While in DFU mode, you should be able to read and write the iPod's firmware. There is a DFU tool from OpenMoko called dfu-util that works with their devices and some others, but it is not compatible with the Nanos. On a Debian-based system, it can be obtained by the following command: <pre>apt-get dfu-util</pre> This tool does not work with the Nanos since their Samsung CPU uses a slightly different protocol. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Just for your information, using dfu-util with this command, the same 64-byte sequence is repeated until the command is aborted. IIRC, it is always bytes of 255: <pre>dfu-util -t 64 -U ipod</pre> Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf f9958f77e3c8f403a09bb749a4b3dd7196614aa8 1669 1668 2009-05-05T12:36:02Z Cmwslw 1 /* Using the dfu-utils */ wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. There is a DFU tool from OpenMoko called [http://wiki.openmoko.org/wiki/Dfu-util dfu-util] that works with their devices and some others, but it is not compatible with the Nanos. On a Debian-based system, it can be obtained by the following command: <pre>apt-get dfu-util</pre> This tool does not work with the Nanos since their Samsung CPU uses a slightly different protocol. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Just for your information, using dfu-util with this command, the same 64-byte sequence is repeated until the command is aborted. IIRC, it is always bytes of 255: <pre>dfu-util -t 64 -U ipod</pre> Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 1f447d02d440024f8ffb699d225a0047b61e4928 1670 1669 2009-05-06T12:29:50Z Cmwslw 1 /* Crafting a DFU util for the Nanos */ wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the modified dfu-util by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf d7191fd181d1b201520f3cd5ae095f85a174faea 1671 1670 2009-05-06T12:30:27Z Cmwslw 1 /* Crafting a DFU util for the Nanos */ wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf c88de70299776cbe67aff9b1325605cb3e1f2b8e 0 65 1646 1558 2009-03-27T13:08:50Z Cmwslw 1 Protected "[[Chronology]]" [edit=autoconfirmed:move=autoconfirmed] wikitext text/x-wiki [[Image:IPod Timeline.png]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== 2134c729bb1595d612420c89525cc90c93a54781 1647 1646 2009-03-27T13:09:28Z Cmwslw 1 wikitext text/x-wiki [[Image:IPod Timeline.png|500px]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== 512ae0c842bcd3bb922ea49137ee5297afa00019 1648 1647 2009-03-27T13:12:53Z Cmwslw 1 wikitext text/x-wiki [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== 84ce7e7970d7cb5bd5aa2ba6848be4c0190634e2 1649 1648 2009-03-27T13:15:08Z Cmwslw 1 wikitext text/x-wiki [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. c0104f5d5b995d1b35f276bcd1c560230ce944b9 2 77 1651 2009-03-27T13:32:29Z Cmwslw 1 wikitext text/x-wiki == ToDo == # http://www.mobilehandsetdesignline.com/197800854 # [[Talk:Bootstrapping sequence]], [[Talk:Firmware encryption]], 2G CPU of [[Hardware]] # Look over chronicdev wiki # Add DFU mode info (dfu-utils, Hardware manager) # Info about snooping RAM (FPGA, davidc) # Add info about bootrom and datasheet http://nxtpp.clustur.com/index.php?title=Bootstrapping_sequence&oldid=1630 http://nxtpp.clustur.com/index.php/Hardware 20efcc53ffa61be5aad619cdfe032d3dedaca2f5 1 83 1656 2009-03-28T11:29:40Z A W 5 wikitext text/x-wiki http://www.13354833.cn/bbs/attachment.php?aid=287&k=b8f98b64946025a383279e6ec475212f&t=1223688783 Meizu S5L8700 connection shematics. Seems to be really close to actual layout... Or maybe its not. b8ae5ae76c2f2ba78af1f1354d722ccccfdbbc83 6 85 1665 2009-04-30T02:08:16Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 86 1672 2009-05-12T15:12:10Z Sto 7 x ray of the 8701 showing the bonding wires wikitext text/x-wiki x ray of the 8701 showing the bonding wires 42c222dc26d0192f13542a3cf5470d30fafa9b2c 6 87 1673 2009-05-12T15:31:24Z Sto 7 bottom layer of the 8701 substrate wikitext text/x-wiki bottom layer of the 8701 substrate 4893e6a06d7b27187e9bf27a9a26f78b29e73aae 6 88 1674 2009-05-12T15:32:53Z Sto 7 top layer of the 8701 substrate wikitext text/x-wiki top layer of the 8701 substrate 2e46e793b1239294936c0186b89845d5c4c14d4b 0 89 1675 2009-05-12T15:49:32Z Sto 7 Created page with '== Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothi...' wikitext text/x-wiki == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very usefull for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpfull. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrat. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[known datasheet]S5L8700_datasheet] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture ot the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]] c892a8f350b3b71ed6795048829e02e09960aaf9 1676 1675 2009-05-12T16:04:41Z Sto 7 wikitext text/x-wiki == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very usefull for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpfull. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrat. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[known datasheet]S5L8700_datasheet] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture ot the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]] == Guessed pinout table == to come soon... cb10bffe433db153b032446d054b0938a425913e 1677 1676 2009-05-12T17:56:05Z 87.211.49.117 0 wikitext text/x-wiki == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[known datasheet]S5L8700_datasheet] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]] == Guessed pinout table == to come soon... badff77675e799ef9bae4d5654417c52c995e7c0 1678 1677 2009-05-12T19:02:06Z Cmwslw 1 moved [[Main Page/S5L8701 analysis]] to [[S5L8701 analysis]]:&#32;Don't know why 'Main Page/' got in front - cleaning up. wikitext text/x-wiki == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[known datasheet]S5L8700_datasheet] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]] == Guessed pinout table == to come soon... badff77675e799ef9bae4d5654417c52c995e7c0 1681 1678 2009-05-12T19:11:28Z Cmwslw 1 /* Introduction */ wikitext text/x-wiki == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701%20pinout.ods here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[known datasheet]S5L8700_datasheet] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]] == Guessed pinout table == to come soon... 432c6c20adbef296bd2865119c5a1650df4e04fb 1682 1681 2009-05-12T19:15:04Z Cmwslw 1 /* Structure of the packaging */ wikitext text/x-wiki == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701%20pinout.ods here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[S5L8700_datasheet known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]] == Guessed pinout table == to come soon... 0c7d7c8c64b735375f4193a8b46165a7096b0597 1683 1682 2009-05-12T19:17:34Z Cmwslw 1 /* Structure of the packaging */ wikitext text/x-wiki == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701%20pinout.ods here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]] == Guessed pinout table == to come soon... 00ea3e8c640fda31d00ab54fec615bef83c315a4 0 90 1679 2009-05-12T19:02:06Z Cmwslw 1 moved [[Main Page/S5L8701 analysis]] to [[S5L8701 analysis]]:&#32;Don't know why 'Main Page/' got in front - cleaning up. wikitext text/x-wiki #REDIRECT [[S5L8701 analysis]] 0e9caa6a21892540224bf7c7808ae9055be9782f 3 91 1684 2009-05-17T15:43:50Z Genlee 8 Created page with 'I Know u guys arent finnished yet but im compleatly willing to help with the progect. i have an ipod nano2G and quite frankly, its boring. i wanna change that.' wikitext text/x-wiki I Know u guys arent finnished yet but im compleatly willing to help with the progect. i have an ipod nano2G and quite frankly, its boring. i wanna change that. 43982fd3c10172d23401809984238362c63d53e2 1685 1684 2009-05-21T18:55:15Z Cmwslw 1 wikitext text/x-wiki I Know u guys arent finnished yet but im compleatly willing to help with the progect. i have an ipod nano2G and quite frankly, its boring. i wanna change that. Do you have any programming/electronics experience? If not, you could always help by donating hardware. --[[User:Cmwslw]] - 5/21/09 14:53 EST c2591f5ae986fb12890556e3ba11cb339ad90540 1686 1685 2009-05-21T18:55:34Z Cmwslw 1 wikitext text/x-wiki I Know u guys arent finnished yet but im compleatly willing to help with the progect. i have an ipod nano2G and quite frankly, its boring. i wanna change that. Do you have any programming/electronics experience? If not, you could always help by donating hardware. --[[User:Cmwslw]] - 5/21/09 14:53 EST bae86605ffe6027a3bcb15001bdb810d6e90e102 1687 1686 2009-05-21T18:56:42Z Cmwslw 1 wikitext text/x-wiki I Know u guys arent finnished yet but im compleatly willing to help with the progect. i have an ipod nano2G and quite frankly, its boring. i wanna change that. Do you have any programming/electronics experience? If not, you could always help by donating hardware. -[[User:Cmwslw|Cmwslw]] 18:56, 21 May 2009 (UTC) 40512c35fa0452d7d5d0277f30dc9776f364b795 0 89 1688 1683 2009-05-31T13:33:25Z Sto 7 wikitext text/x-wiki == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]] == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] one more broken nano 2G wanted. 56532c3e1943e53aaf03229238f08ffac540b012 1689 1688 2009-05-31T13:38:17Z Sto 7 wikitext text/x-wiki == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]] == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed) unfortunately, the board suffered from the unsoldering, some fragile pads are gone, so one more broken nano 2G is wanted. 4b7d6225595b02984953a923292295ad06f8b2f2 1692 1689 2009-06-07T18:10:14Z Cmwslw 1 cleaned up format wikitext text/x-wiki [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]] == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed) unfortunately, the board suffered from the unsoldering, some fragile pads are gone, so one more broken nano 2G is wanted. c23c343d502f6e5de98ee04e41ab6cb1db6e11eb 1697 1692 2009-06-14T08:51:45Z Sto 7 wikitext text/x-wiki [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]] == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G%2BHW%2Banalysis]] for further PCB analysis. bff4fcac12c76e9d631818345cadf9820a222a4a 6 92 1693 2009-06-14T07:57:23Z Sto 7 top layer of the ipod nano 2G pcb. some signals noted, including JTAG wikitext text/x-wiki top layer of the ipod nano 2G pcb. some signals noted, including JTAG 194235d643a5441854594ee769a71047cd64ae7a 6 93 1694 2009-06-14T07:58:24Z Sto 7 bot layer of the ipod nano 2G pcb. some signals and testpoints noted wikitext text/x-wiki bot layer of the ipod nano 2G pcb. some signals and testpoints noted d5629cb647cedb6626c5a4175c9185cdc0861443 0 94 1695 2009-06-14T08:48:15Z Sto 7 Created page with '[[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|3...' wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Hardware#2G_Nano_2]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx paralell cable, and installing openwince, we can try to connect to the JTAG : $ sudo jtag JTAG Tools 0.5.1 Copyright (C) 2002, 2003 ETC s.r.o. JTAG Tools is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. There is absolutely no warranty for JTAG Tools. Warning: JTAG Tools may damage your hardware! Type "quit" to exit! Type "help" for help. jtag> cable ppdev /dev/parport0 DLC5 Initializing Xilinx DLC5 JTAG Parallel Cable III on ppdev port /dev/parport0 Error: Cable initialization failed! jtag> cable parallel 0x378 DLC5 Initializing Xilinx DLC5 JTAG Parallel Cable III on parallel port at 0x378 jtag> detect IR length: 4 Chain length: 1 Device Id: 0 chain.c(110) Part 0 without active instruction chain.c(133) Part 0 without active instruction chain.c(110) Part 0 without active instruction jtag> discovery Detecting IR length ... 4 Detecting DR length for IR 1111 ... 1 Detecting DR length for IR 0000 ... -1 Detecting DR length for IR 0001 ... 1 Detecting DR length for IR 0010 ... 5 Detecting DR length for IR 0011 ... -1 Detecting DR length for IR 0100 ... 1 Detecting DR length for IR 0101 ... 1 Detecting DR length for IR 0110 ... 1 Detecting DR length for IR 0111 ... 1 Detecting DR length for IR 1000 ... 1 Detecting DR length for IR 1001 ... 1 Detecting DR length for IR 1010 ... 1 Detecting DR length for IR 1011 ... 1 Detecting DR length for IR 1100 ... -1 Detecting DR length for IR 1101 ... 1 Detecting DR length for IR 1110 ... 32 jtag> We can see the instruction length is 4 bits. the screen freezes directly when we use the JTAG. We currently do not know if this interface is the JTAG of the ARM or the CALM processor. In the 8700 doc, there seems to be a switch pin. However, here, the switch pin (P10) is an output at H level. Even by forcing it to GND. there seems to be no change in the JTAG structure. Other pins were tried, no jtag commutation was found. == Todo == -find which processor is connected -check the doc of the ARM and the CALM for JTAG info -try to use an ARM debugging program ? -find a commutation pin -if the JTAG does not help, we can probably make a SDRAM sniffing (clock frequency was only about 12 MHZ !) 04379c122664c7c214a678699b794c3ace653bda 1717 1695 2009-07-12T03:44:08Z Sto 7 wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Hardware#2G_Nano_2]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx paralell cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[]] decbf15ef0ff6ea436753ac3961fb9f063f3466f 1721 1717 2009-07-12T05:02:47Z Sto 7 /* getting code execution ? */ wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Hardware#2G_Nano_2]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx paralell cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Nano2G getting exec]] 45b24571d3cad19a18ca8b62b8b7d9d68fbd404f 1746 1721 2009-07-16T23:41:48Z Cmwslw 1 moved [[Nano2G+HW+analysis]] to [[2G analysis]] wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Hardware#2G_Nano_2]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx paralell cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Nano2G getting exec]] 45b24571d3cad19a18ca8b62b8b7d9d68fbd404f 0 50 1696 1680 2009-06-14T08:50:32Z Sto 7 /* iPod Hardware */ wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[Nano2G%2BHW%2Banalysis]] and [[S5L8701 analysis]] [[S5L8700 datasheet]] [[Modes]] [[Chronology]] 04e5efb89ede068bca9731b55515978f7ba0894f 1699 1696 2009-06-28T02:30:22Z Cmwslw 1 /* iPod Hardware */ wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[Nano2G%2BHW%2Banalysis]] and [[S5L8701 analysis]] [[Modes]] [[Chronology]] 2e2115f1c51c0ca7f7156a22c2d3b8de1501be46 1700 1699 2009-06-28T02:33:43Z Cmwslw 1 added link to IRC logs wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here]. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[Nano2G%2BHW%2Banalysis]] and [[S5L8701 analysis]] [[Modes]] [[Chronology]] 2f09ccfcf454a5644fecb1988dba3eb5b368d646 1704 1700 2009-07-02T19:45:52Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here]. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling bootrom]] [[Disassembling firmware]] ===Analysis=== [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[Nano2G%2BHW%2Banalysis]] and [[S5L8701 analysis]] [[Modes]] [[Chronology]] 8205e25cee44075d6d0f4218e4c9789a420b6897 1707 1704 2009-07-02T22:07:56Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here]. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling bootrom]] [[Disassembling firmware]] ===Analysis=== [[Bootrom]] [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[Nano2G%2BHW%2Banalysis]] and [[S5L8701 analysis]] [[Modes]] [[Chronology]] 236f701d5bea38445e4dfccd6a3a4bf5f07d1757 1720 1707 2009-07-12T05:02:05Z Sto 7 /* iPod Firmware */ wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here]. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling bootrom]] [[Disassembling firmware]] ===Analysis=== [[Bootrom]] [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] === 2G hacking and unencrypted firmware analysis === [[Nano2G getting exec]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[Nano2G%2BHW%2Banalysis]] and [[S5L8701 analysis]] [[Modes]] [[Chronology]] ca663beb19d165b7b7e0ef6a796b7811e79ac4e0 1727 1720 2009-07-16T17:13:47Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here]. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling bootrom]] [[Disassembling firmware]] ===Analysis=== [[Bootrom]] [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] === 2G hacking and unencrypted firmware analysis === [[Nano2G getting exec]] [[iBuggerLoader]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[Nano2G%2BHW%2Banalysis]] and [[S5L8701 analysis]] [[Modes]] [[Chronology]] 68752e0d09fdcb82d438b44594ab7484b4cd5220 1750 1727 2009-07-16T23:42:36Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here]. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling bootrom]] [[Disassembling firmware]] ===Analysis=== [[Bootrom]] [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] === 2G hacking and unencrypted firmware analysis === [[Getting execution]] [[iBugger Loader]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[2G analysis]] and [[S5L8701 analysis]] [[Modes]] [[Chronology]] bc430685ac5989cae1cae0f601713f3310315d23 1751 1750 2009-07-17T00:21:31Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here]. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod. Project status: perfecting LCD drivers for the 2G nano, awaiting code execution confirmation on the 6G classic (7-16) '''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit. ==This wiki== [[About]] ==iPod Firmware== ===Obtaining=== [[Dumping firmware]] [[Extracting firmware]] [[Disassembling bootrom]] [[Disassembling firmware]] ===Analysis=== [[Bootrom]] [[Firmware]] [[Bootstrapping sequence]] [[Firmware encryption]] === 2G hacking and unencrypted firmware analysis === [[Getting execution]] [[iBugger Loader]] ==iPod Hardware== [[Hardware]] [[Hardware annotation]] [[2G analysis]] and [[S5L8701 analysis]] [[Modes]] [[Chronology]] 84c8952e73a9883773891474aa0319fd88b333d7 1756 1751 2009-07-17T00:33:08Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here]. (password protected) '''Status at a glance: perfecting LCD drivers for the 2G nano, awaiting code execution confirmation on the 6G classic (7-16)''' [[About]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 9a5c4d6d61319aa03ae47f087e08572d2b5aa226 1759 1756 2009-07-17T00:35:24Z Cmwslw 1 wikitext text/x-wiki This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at [[About this wiki]]. '''Status at a glance: perfecting LCD drivers for the 2G nano, awaiting code execution confirmation on the 6G classic (7-16)''' [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 0ab48dcab4cd33b6ae3c00fb9a8763e8af11fd18 1762 1759 2009-07-17T00:44:01Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at [[About this wiki]]. '''Status at a glance: perfecting LCD drivers for the 2G nano, awaiting code execution confirmation on the 6G classic (7-16)''' [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 124546dd723190a20af1aa97acf9d4b33d80e1d4 1763 1762 2009-07-17T00:49:07Z TheSeven 13 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net]. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at [[About this wiki]]. '''Status at a glance: perfecting LCD drivers for the 2G nano, awaiting code execution confirmation on the 6G classic (7-16)''' [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] d25d7b261a75bcceba003ebbb9c3c573c00a9c62 1764 1763 2009-07-18T01:02:13Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net]. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at [[About this wiki]]. '''Status at a glance: perfecting LCD drivers for the 2G nano, awaiting code execution confirmation on the 6G classic (7-16)''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 586b34d95c572667a264843f7fedf385441430fb 1776 1764 2009-07-19T13:15:53Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net]. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at [[About this wiki]]. '''Status at a glance: LCD drivers pretty much done (ex. iBugger). Fixing freeze that occurs with timer interrupts (7-19)''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 64ad089b9788775bd765bf7b88a0e8c9c2f21dbc 1778 1776 2009-07-19T21:09:59Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at [[About this wiki]]. '''Status at a glance: LCD drivers pretty much done (ex. iBugger). Fixing freeze that occurs with timer interrupts (7-19)''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] fc76ad3e10c15f3ffa5085dada8f75ddbaeb3f71 1784 1778 2009-07-21T22:09:09Z Cmwslw 1 updated status wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at [[About this wiki]]. '''Status at a glance: implementing a debugging console within iBugger, and working on audio drivers. iBugger can now run the Rockbox bootloader without hitches.''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 0783255a05cc79c88b47014049e643efe240382f 1786 1784 2009-07-22T01:08:43Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: implementing a debugging console within iBugger, and working on audio drivers. iBugger can now run the Rockbox bootloader without hitches.''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] dfcb9c63a77c8600c2792d992aaffb3ddf8839df 1787 1786 2009-07-22T13:50:21Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: implementing a debugging console within iBugger, and working on audio drivers. iBugger can now run the Rockbox bootloader without hitches. Working on injecting code into an iTunesDB file''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 2ee765216413491f8e392982dee928a9880b672f 1788 1787 2009-07-22T14:32:31Z TheSeven 13 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Further improving iBugger, and working on audio drivers. iBugger can now run the Rockbox bootloader without hitches. Working on injecting code into an iTunesDB file for the other generations.''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 5f5054f177fd64ffc5f66191ddb673908bf7dddb 0 54 1698 1652 2009-06-14T09:04:55Z Sto 7 /* 2G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]]. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 8f2fd377aa68f52b12a2c5797441adcb6bd1de30 0 52 1701 1671 2009-07-01T22:21:26Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. *example for 3G needed* </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 5ba3a64bd3915a27fd4ddad5a102840f6c2954c0 1714 1701 2009-07-03T19:52:19Z GodEater 12 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. </pre> The following example is for the 3G Nano </pre> Bus 002 Device 006: ID 05ac:1223 Apple, Inc. </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. More verbose output from lsusb run on a Nano 3G in DFU mode : <pre> Bus 002 Device 006: ID 05ac:1223 Apple, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple, Inc. idProduct 0x1223 bcdDevice 0.01 iManufacturer 1 Apple Computer, Inc. iProduct 2 USB DFU Device iSerial 3 87020000000001 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 2 iInterface 0 ** UNRECOGNIZED: 09 21 03 0a 00 00 08 00 01 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) </pre> ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 9bad0647923aa8bcd7785e5a16cb8355f3b73702 1715 1714 2009-07-03T19:53:01Z GodEater 12 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns: <pre> Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. </pre> The following example is for the 3G Nano <pre> Bus 002 Device 006: ID 05ac:1223 Apple, Inc. </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. More verbose output from lsusb run on a Nano 3G in DFU mode : <pre> Bus 002 Device 006: ID 05ac:1223 Apple, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple, Inc. idProduct 0x1223 bcdDevice 0.01 iManufacturer 1 Apple Computer, Inc. iProduct 2 USB DFU Device iSerial 3 87020000000001 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 2 iInterface 0 ** UNRECOGNIZED: 09 21 03 0a 00 00 08 00 01 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) </pre> ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 1cdb73d93edc9fa0a481091af6cf1d437586481c 1716 1715 2009-07-03T19:59:24Z GodEater 12 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. <pre> Nano 4G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. Nano 3G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1262 Apple, Inc. </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. More verbose output from lsusb run on a Nano 3G in DFU mode : <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple, Inc. idProduct 0x1223 bcdDevice 0.01 iManufacturer 1 Apple Computer, Inc. iProduct 2 USB DFU Device iSerial 3 87020000000001 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 2 iInterface 0 ** UNRECOGNIZED: 09 21 03 0a 00 00 08 00 01 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) </pre> ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 452b01bf0fd921b4c90fb9b6b739ab34dfe02e15 6 97 1718 2009-07-12T04:51:02Z Sto 7 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 98 1719 2009-07-12T04:59:29Z Sto 7 Created page with '== Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNot...' wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one conteining many files, but after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copiues of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[File:Nanofighter.jpg|200px|thumb|left|nanofighter]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == to be documented 0c720406dec9cb8f085b6914cc6ade477952cd7e 1722 1719 2009-07-12T05:08:31Z 124.155.33.42 0 wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one conteining many files, but after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copiues of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == to be documented 90840c76db545f8d4f4670b89d75d9791949e000 1723 1722 2009-07-12T05:55:48Z 81.5.85.228 0 /* Basics */ wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one containing many files, but after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copiues of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == to be documented ab8ad576f14c63cab5c0825659485df51c100bd1 1724 1723 2009-07-12T12:11:18Z TheSeven 13 wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano (needs to be validated, there were some issues --[[User:TheSeven|TheSeven]] 12:11, 12 July 2009 (UTC)) *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one containing many files, but after UTF16 processing (the latter needs to be validated, there were some issues --[[User:TheSeven|TheSeven]] 12:11, 12 July 2009 (UTC)) === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copiues of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (should not be an issue if they are in fact first transcoded to utf8 and then unescaped --[[User:TheSeven|TheSeven]] 12:11, 12 July 2009 (UTC)) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == to be documented 7d56b0087090f271889c855c800aa28575d7ee69 1725 1724 2009-07-12T14:33:35Z TheSeven 13 /* Basics */ wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copiues of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (should not be an issue if they are in fact first transcoded to utf8 and then unescaped --[[User:TheSeven|TheSeven]] 12:11, 12 July 2009 (UTC)) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == to be documented 71eb3504f97334f9de227357470ec5eb2288c186 1726 1725 2009-07-12T14:34:37Z TheSeven 13 /* Link overflow */ wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copiues of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == to be documented fd248f08cbfc5933d60a490e9934c66dbe400e02 1742 1726 2009-07-16T23:40:38Z Cmwslw 1 moved [[Nano2G getting exec]] to [[Getting Execution]] wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copiues of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == to be documented fd248f08cbfc5933d60a490e9934c66dbe400e02 1748 1742 2009-07-16T23:42:06Z Cmwslw 1 moved [[Getting Execution]] to [[Getting execution]] wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copiues of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == to be documented fd248f08cbfc5933d60a490e9934c66dbe400e02 6 100 1729 2009-07-16T17:22:24Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 101 1737 2009-07-16T22:49:44Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 102 1738 2009-07-16T22:50:36Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 111 1758 2009-07-17T00:33:34Z Cmwslw 1 moved [[About]] to [[About this wiki]] wikitext text/x-wiki #REDIRECT [[About this wiki]] 4b34e10e28810fdc30214e5e5530404deeb7b6a9 6 112 1761 2009-07-17T00:41:28Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 4 115 1785 2009-07-22T01:07:16Z Cmwslw 1 Created page with 'This wiki was started in order to collect all information about the linux4nano project, whether that be on the IRC, website, or mailing list, and compile it all into a convenient...' wikitext text/x-wiki This wiki was started in order to collect all information about the linux4nano project, whether that be on the IRC, website, or mailing list, and compile it all into a convenient and organized location. Please feel free to add/edit information (it is a wiki after all). Right now, I (cmwslw) don't really know that much about the project, so my facts may not be that accurate. Please keep in mind that this wiki is for the purpose of cracking the iPod encryption. While we want to find out as much about the iPod as we can, we need to try to keep only information relevant to cracking the iPod in the wiki. This keeps the wiki informative, but still concise. Also, when editing the wiki, please be sure to include sources (for plagiarism, but mostly for convenience). Also, '''speculation is good'''! Since this is an ongoing project, some things might not be known for sure. Even still, it is important to put speculation in this wiki to keep ideas flowing. Just make sure you mark speculation by using a question mark or something. 8d195090a0376a1a5e1b010d9af2630d93a7fc0e 0 116 1789 2009-07-22T14:42:41Z TheSeven 13 Rewrote the iBugger stuff wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://linuxstb.cream.org/nano2g/iBugger-0.1f.tar.gz here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger is being written by TheSeven. It aims to be a fully-featured debugger on the iPod. iBugger is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts, and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger ===Rockbox bootloader=== [[File:Img9088.jpg|150px|thumb|right|2G Rockbox bootloader]] We've managed to run the Rockbox bootloader for Nano2G (still in a very early state) inside iBugger (picture shown to the right). It is important to understand that this can only be achieved while tethered to a computer. A different way to boot a custom firmware (similar to how it was done on the older iPods) will be researched in the long term. 7eac7d22c81ac3cae53211480b2e2907243ac63a 1793 1789 2009-07-22T14:43:22Z TheSeven 13 /* iBugger (Core) */ wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://linuxstb.cream.org/nano2g/iBugger-0.1f.tar.gz here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts, and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger ===Rockbox bootloader=== [[File:Img9088.jpg|150px|thumb|right|2G Rockbox bootloader]] We've managed to run the Rockbox bootloader for Nano2G (still in a very early state) inside iBugger (picture shown to the right). It is important to understand that this can only be achieved while tethered to a computer. A different way to boot a custom firmware (similar to how it was done on the older iPods) will be researched in the long term. aadeb5a782f45d2df444e6172245fb7baeaa9499 1808 1793 2009-07-27T15:23:26Z Linuxstb 19 wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://linuxstb.cream.org/nano2g/iBugger-0.1f.tar.gz here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts, and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger ===Rockbox bootloader=== [[File:Img9088.jpg|150px|thumb|right|2G Rockbox bootloader]] Rockbox developers have started work on porting Rockbox to the Nano2G and it is currently possible to run a Rockbox bootloader (still in a very early state) inside iBugger (picture shown to the right). It is important to understand that this can only be achieved while tethered to a computer. A different way to boot a custom firmware (similar to how it was done on the older iPods) will be researched in the long term. 08e295bedb5ff17e48565de9c0366833a5580af1 0 50 1796 1788 2009-07-23T21:48:33Z Cmwslw 1 status update wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Clickwheel and audio drivers are working! iBugger now has a read only serial terminal for printf-style messages. Currently working on writing data to the iPod from the console.''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] c69d2b1209ceea2a233ea213f67111cf08df4612 1800 1796 2009-07-24T21:49:24Z TheSeven 13 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Clickwheel and audio drivers are working! iBugger now has a read only serial terminal for printf-style messages. Currently working on making audio in Rockbox work, then we'll have a look at the NAND/FTL.''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 56dad3f0b59f874e94b8ae0ef4a4312cfa35ffef 1803 1800 2009-07-25T14:46:37Z TheSeven 13 Status update wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Clickwheel and audio drivers are working! iBugger now has a read only serial terminal for printf-style messages. Currently working on making audio work in Rockbox then we'll have a look at the NAND/FTL. Awaiting 6G Classic memory dump, code execution is confirmed, UART is running.''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 151d0a8cc46a2b94f96c471b175203af35812b0b 1804 1803 2009-07-25T14:50:03Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Currently working on making audio work in Rockbox then we'll have a look at the NAND/FTL. Awaiting 6G Classic memory dump, code execution is confirmed, UART is running.''' [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 1f87263aa1f32ba4acf4fa8b79431c3463c3f32b 1815 1804 2009-07-28T22:19:17Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Currently working on making audio work in Rockbox then we'll have a look at the NAND/FTL. Awaiting 6G Classic memory dump, code execution is confirmed, UART is running.''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 4432148a7243cc7544650ea4b0862ea16201750e 1816 1815 2009-07-28T22:19:48Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Currently working on making audio work in Rockbox then we'll have a look at the NAND/FTL. Awaiting 6G Classic memory dump, code execution is confirmed, UART is running.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 87d5b8cce444a93e4d2a166ccee19ae9206a4170 1830 1816 2009-08-02T01:30:56Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: 6G SDRAM is dumped and correct return address was found. Now looking at 6.5G and 3G Nano. Also deed to work on NAND drivers.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 7d69bd67acea65bcb882bc9a0ca4ce3d4b967d38 1834 1830 2009-08-02T13:17:59Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: 6G SDRAM is dumped and correct return address was found. Now looking at 6.5G and 3G Nano. Also deed to work on NAND drivers.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for a fuller status. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] ac53972419f4ffa77418f95a326def3808a88ceb 1837 1834 2009-08-02T15:22:17Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: 6G SDRAM is dumped and correct return address was found. Now looking at 6.5G and 3G Nano. Also need to work on NAND drivers.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for a fuller status. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] fa33a6649659c277115d3fa0e8e3d5c294ee0320 1859 1837 2009-08-06T06:51:06Z TheSeven 13 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: 6G SDRAM is dumped and correct return address was found. Now looking at 6.5G and 3G Nano. Also need to work on NAND drivers.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 988284b89e670b2c7d6c401c9f0faf9374e317c2 1886 1859 2009-08-21T15:34:21Z Farthen 28 Link to the Address Bruteforing page was added. wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: 6G SDRAM is dumped and correct return address was found. Now looking at 6.5G and 3G Nano. Also need to work on NAND drivers.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] '''If you want to help, best you could do now is visiting:''' [[Address Bruteforcing]] 7ad278fe5e7db12376ae0de2c79ee57adf915484 6 75 1809 1581 2009-07-28T20:30:26Z Cmwslw 1 uploaded a new version of "[[File:4G frt annotation.png]]": changed wolfson to cirrus wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 117 1810 2009-07-28T20:31:44Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 118 1811 2009-07-28T20:32:03Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 119 1812 2009-07-28T20:32:57Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 54 1814 1698 2009-07-28T22:06:12Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]]. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 86f307399ad85d0b74c08c1847541e8ef7ee634a 1831 1814 2009-08-02T13:08:23Z Cmwslw 1 for some reason someone changed all processors to 8701... wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]]. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 46edc48b505d4b2c5e84add5dd6903a351a7d3c7 0 121 1832 2009-08-02T13:14:37Z Cmwslw 1 Created page with '{| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! LCD !! Peizo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Ye...' wikitext text/x-wiki {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! LCD !! Peizo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | No |- | 3G Nano | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No |- | 6G Classic | Yes | No | No | No | No | No | No |- | 6.5G Classic | No | No | No | No | No | No | No |} 463ed5ea805ceff867a3a1a1f741dc1d8e3cec64 1833 1832 2009-08-02T13:17:01Z Cmwslw 1 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! LCD !! Peizo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | No |- | 3G Nano | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No |- | 6G Classic | Yes | No | No | No | No | No | No |- | 6.5G Classic | No | No | No | No | No | No | No |} 9535760e5e3da0295a2526773c95dfd9d7a17b74 1835 1833 2009-08-02T13:19:41Z Cmwslw 1 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Peizo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |- | 3G Nano | No | No | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No | No | No |- | 6G Classic | Yes | No | No | No | No | No | No | No | No |- | 6.5G Classic | No | No | No | No | No | No | No | No | No |} 476466e62f6a634d24591599e98aaf5edc5a8fc9 1836 1835 2009-08-02T15:20:41Z Cmwslw 1 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Peizo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |- | 3G Nano | No | No | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No | No | No |- | 1G Classic | Yes | No | Yes | No | No | No | No | No | No |- | 2G Classic | No | No | No | No | No | No | No | No | No |} 0c636c3d214ea46949412de0e49c03ac9e26f13c 1838 1836 2009-08-02T16:28:39Z 147.210.8.12 0 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Peizo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |- | 3G Nano | No | No | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No | No | No |- | 6G Nano | No | No | No | No | No | No | No | No | No |- | 1G Classic | Yes | No | Yes | No | No | No | No | No | No |- | 2G Classic | No | No | No | No | No | No | No | No | No |} 7739ba13100b07dbc7cd61a7cfd0e3caacefb5d6 1839 1838 2009-08-02T16:38:25Z 147.210.8.12 0 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Peizo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |- | 3G Nano | No | No | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No | No | No |- | 6G Classic | No | No | No | No | No | No | No | No | No |- | 1G Classic | Yes | No | Yes | No | No | No | No | No | No |- | 2G Classic | No | No | No | No | No | No | No | No | No |} a1445f4935cf80e00e059346957af82a90b6fe78 1840 1839 2009-08-02T16:38:47Z 147.210.8.12 0 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Peizo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |- | 3G Nano | No | No | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No | No | No |- | 1G Classic | Yes | No | Yes | No | No | No | No | No | No |- | 2G Classic | No | No | No | No | No | No | No | No | No |} 0c636c3d214ea46949412de0e49c03ac9e26f13c 1853 1840 2009-08-03T16:51:45Z Perror 21 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |- | 3G Nano | No | No | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No | No | No |- | 1G Classic | Yes | No | Yes | No | No | No | No | No | No |- | 2G Classic | No | No | No | No | No | No | No | No | No |} 5048d58324510b2792fa57e0bc0bcd91034c61ad 1855 1853 2009-08-04T05:08:02Z Cmwslw 1 Protected "[[Status]]" ([edit=autoconfirmed] (indefinite) [move=autoconfirmed] (indefinite)) wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |- | 3G Nano | No | No | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No | No | No |- | 1G Classic | Yes | No | Yes | No | No | No | No | No | No |- | 2G Classic | No | No | No | No | No | No | No | No | No |} 5048d58324510b2792fa57e0bc0bcd91034c61ad 1860 1855 2009-08-06T06:52:17Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No |- | 3G Nano | No | No | No | No | No | No | No | No | No | No | No |- | 4G Nano | No | No | No | No | No | No | No | No | No | No | No |- | 1G Classic | Yes | No | Yes | No | No | No | No | No | No | No | No |- | 2G Classic | No | No | No | No | No | No | No | No | No | No | No |} fd42b43fdee33b9d8de2080b5ac27c38070b9b56 1861 1860 2009-08-06T18:13:09Z Cmwslw 1 added colors wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} ff201ced017c6fd59a6a07db8805641d4c9b08b7 1877 1861 2009-08-18T06:26:16Z Perror 21 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 104fdb66d98637c61fadfd441b929f546c2db8d6 1878 1877 2009-08-18T06:26:36Z Perror 21 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 35263fff8f48e7b8dfe83b49aaff471a7446c770 6 64 1841 1552 2009-08-02T16:45:51Z Perror 21 uploaded a new version of "[[File:IPod Timeline.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 65 1846 1649 2009-08-03T12:40:10Z Perror 21 wikitext text/x-wiki [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==iPod Serie== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | 1G | |- | 2G | |- | 3G | |- | 4G (Greyscale) | |- | 4G (Color) | |- | 5G (Video) | |- | 5.5G (Video) | |- | 6G (Classic) | |- | 6.5G (Classic) | |} ==iPod Mini Serie== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Mini 1G | |- | Mini 2G | |} ==iPod Nano Serie== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Nano 1G | |- | Nano 2G | |- | Nano 3G | |- | Nano 4G | |} ==iPod Shuffle Serie== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Shuffle 1G | |- | Shuffle 2G | |- | Shuffle 3G | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 11088cedd015e35f687e389b8c60cab5130812c5 1847 1846 2009-08-03T12:43:48Z Perror 21 wikitext text/x-wiki [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | 1G | |- | 2G | |- | 3G | |- | 4G (Greyscale) | |- | 4G (Color) | |- | 5G (Video) | |- | 5.5G (Video) | |- | 6G (Classic) | |- | 6.5G (Classic) | |} ==iPod Mini Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Mini 1G | |- | Mini 2G | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Nano 1G | |- | Nano 2G | |- | Nano 3G | |- | Nano 4G | |} ==iPod Shuffle Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Shuffle 1G | |- | Shuffle 2G | |- | Shuffle 3G | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 8105c2a8157571a618bb0b7bfe409c0e003d3d1f 1848 1847 2009-08-03T12:52:34Z Perror 21 wikitext text/x-wiki [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | 1G | 2001-10 | |- | 2G | 2002-03 | |- | 3G | 2003-04 | |- | 4G (Greyscale) | 2004-07 | |- | 4G (Color) | 2004-10 | |- | 5G (Video) | 2005-10 |- | 5.5G (Video) | 2006-09 | |- | 6G (Classic 1G) | 2007-09 | |- | 6.5G (Classic 2G) | 2008-09 | |} ==iPod Mini Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Mini 1G | |- | Mini 2G | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Nano 1G | |- | Nano 2G | |- | Nano 3G | |- | Nano 4G | |} ==iPod Shuffle Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Shuffle 1G | |- | Shuffle 2G | |- | Shuffle 3G | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 337925db21d4141d3b8008637a08e10523dd61a7 1849 1848 2009-08-03T12:53:21Z Perror 21 wikitext text/x-wiki [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | 1G | 2001-10 | |- | 2G | 2002-03 | |- | 3G | 2003-04 | |- | 4G (Greyscale) | 2004-07 | |- | 4G (Color) | 2004-10 | |- | 5G (Video) | 2005-10 | |- | 5.5G (Video) | 2006-09 | |- | 6G (Classic 1G) | 2007-09 | |- | 6.5G (Classic 2G) | 2008-09 | |} ==iPod Mini Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Mini 1G | |- | Mini 2G | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Nano 1G | |- | Nano 2G | |- | Nano 3G | |- | Nano 4G | |} ==iPod Shuffle Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Shuffle 1G | |- | Shuffle 2G | |- | Shuffle 3G | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. b2dea5e4c9e1af7efa700622f1759cb8bf5d6490 1850 1849 2009-08-03T12:56:32Z Perror 21 wikitext text/x-wiki [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] This page try to list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | 1G | 2001-10 | |- | 2G | 2002-03 | |- | 3G | 2003-04 | |- | 4G (Greyscale) | 2004-07 | |- | 4G (Color) | 2004-10 | |- | 5G (Video) | 2005-10 | |- | 5.5G (Video) | 2006-09 | |- | 6G (Classic 1G) | 2007-09 | |- | 6.5G (Classic 2G) | 2008-09 | |} ==iPod Mini Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Mini 1G | |- | Mini 2G | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Nano 1G | |- | Nano 2G | |- | Nano 3G | |- | Nano 4G | |} ==iPod Shuffle Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Shuffle 1G | |- | Shuffle 2G | |- | Shuffle 3G | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. f2862e3cb433e88113ece3bf9b71a71c36c9dd8a 1851 1850 2009-08-03T12:57:09Z Perror 21 wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | 1G | 2001-10 | |- | 2G | 2002-03 | |- | 3G | 2003-04 | |- | 4G (Greyscale) | 2004-07 | |- | 4G (Color) | 2004-10 | |- | 5G (Video) | 2005-10 | |- | 5.5G (Video) | 2006-09 | |- | 6G (Classic 1G) | 2007-09 | |- | 6.5G (Classic 2G) | 2008-09 | |} ==iPod Mini Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Mini 1G | |- | Mini 2G | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Nano 1G | |- | Nano 2G | |- | Nano 3G | |- | Nano 4G | |} ==iPod Shuffle Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Notes |- | Shuffle 1G | |- | Shuffle 2G | |- | Shuffle 3G | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 20403a1256dd287f1a9dc9146e850e19a7c73061 1852 1851 2009-08-03T13:10:39Z Perror 21 wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodclassic 6G (Classic 1G)] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB 6.5G (Classic 2G)] | 2008-09 | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 736417f6a3d740a41eb376ff454182e148c34146 0 122 1879 2009-08-21T13:50:20Z Cmwslw 1 Created page with 'The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and th...' wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. b39d806e8ebd83724d40acab78ac7e4b25bcd9d5 1880 1879 2009-08-21T14:21:52Z Farthen 28 Added a draft of a matrix for better overview about the progress of the project... wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. == Matrix of working devices == This is a still incomplete matrix of working devices at the moment. It'll be updated and will at some time also include the actual address to jump in for each device. {| border="1" |- ! devices/partition type ! Windows-formatted (FAT) ! Mac-Formatted (HFS) |- | iPod nano 2g | Yes | Untested |- | iPod nano 3g | No | No |- | iPod nano 4g | No | No |- | iPod classic 1g | Yes | Untested |- | iPod classic 2g | No | No |} afcc11a4956a20bc589f742d144ccab8578f11b4 1882 1880 2009-08-21T14:29:23Z Farthen 28 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. == Matrix of working devices == This is a still incomplete matrix of working devices at the moment. It'll be updated and will at some time also include the actual address to jump in for each device. {| border="1" |- ! devices/partition type ! Windows-formatted (FAT) ! Mac-Formatted (HFS) |- | iPod nano 2g | Yes | Untested |- | iPod nano 3g | No | No |- | iPod nano 4g | crashed | No |- | iPod classic 1g | Yes | Untested |- | iPod classic 2g | No | No |} The staus "crashed" means that the device has crashed when putting in the modified notes but we couldn't find a address (yet) that is exploitable. 54d7967116da4beaa50332d3d0c8d1d8a04cb753 1883 1882 2009-08-21T15:01:16Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~500MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: 1. The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off 2. The iPod works completely normally. You can navigate menus, play music, etc. without any problems. 3. The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes 4. The iPod freezes up entirely. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki. # The next step is to get into disk mode. First, you need to == Matrix of working devices == This is a still incomplete matrix of working devices at the moment. It'll be updated and will at some time also include the actual address to jump in for each device. {| border="1" |- ! devices/partition type ! Windows-formatted (FAT) ! Mac-Formatted (HFS) |- | iPod nano 2g | Yes | Untested |- | iPod nano 3g | No | No |- | iPod nano 4g | crashed | No |- | iPod classic 1g | Yes | Untested |- | iPod classic 2g | No | No |} The staus "crashed" means that the device has crashed when putting in the modified notes but we couldn't find a address (yet) that is exploitable. 492f28408a34e9fbc6c1ac691e23f41e5e97b798 1884 1883 2009-08-21T15:08:40Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~500MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page. You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Matrix of working devices == This is a still incomplete matrix of working devices at the moment. It'll be updated and will at some time also include the actual address to jump in for each device. {| border="1" |- ! devices/partition type ! Windows-formatted (FAT) ! Mac-Formatted (HFS) |- | iPod nano 2g | Yes | Untested |- | iPod nano 3g | No | No |- | iPod nano 4g | crashed | No |- | iPod classic 1g | Yes | Untested |- | iPod classic 2g | No | No |} The staus "crashed" means that the device has crashed when putting in the modified notes but we couldn't find a address (yet) that is exploitable. 6b92de23f0429a6a43d01e2be950ad617660dac7 1885 1884 2009-08-21T15:32:19Z Farthen 28 Didn't see the status page. Removed the matrix since it was obsolete. wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~500MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page. You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. a76ba94ddc27a3cbb669edef2d68635d109f1f17 1887 1885 2009-08-21T15:39:54Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page. You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! iPod generation ! Firmware version ! Sweep filename ! Behavior type ! Notes |- | test | test | test | test | test |- | test | test | test | test | test |} 616cd36c06121ccc31f11a22b7c0ee85b12ee3a0 1888 1887 2009-08-21T15:40:43Z Cmwslw 1 Protected "[[Address Bruteforcing]]" ([edit=autoconfirmed] (indefinite) [move=autoconfirmed] (indefinite)) wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page. You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! iPod generation ! Firmware version ! Sweep filename ! Behavior type ! Notes |- | test | test | test | test | test |- | test | test | test | test | test |} 616cd36c06121ccc31f11a22b7c0ee85b12ee3a0 1890 1888 2009-08-21T15:50:10Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! iPod generation ! Firmware version ! Sweep filename ! Behavior type ! Notes |- | test | test | test | test | test |- | test | test | test | test | test |} 9e9ed55e078df7c2f72b3ed970ccaab2dc766254 0 122 1891 1890 2009-08-21T15:56:36Z Cmwslw 1 /* Table of non-#1 behaviors */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | test | Windows | test | #3 | test |- | Empty | 1G Classic | 1.03 | Windows | a080a2004.htm | #3 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |} 525a40658e78d9c973b58d49ad792128b2b8ca33 1892 1891 2009-08-21T16:03:02Z Cmwslw 1 /* Table of non-#1 behaviors */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |} bc85906cf93a5365bf07cde11ba51e53fd678e82 1894 1892 2009-08-21T16:05:54Z Cmwslw 1 moved [[Address Bruteforcing]] to [[Address bruteforcing]] wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |} bc85906cf93a5365bf07cde11ba51e53fd678e82 1900 1894 2009-08-21T18:14:49Z Cmwslw 1 notice about mac ipods wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. Note: if you are using your ipod with a Mac, your note files might not do anything. If this happens please say so on irc. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |} 39fbc1fbe03f2234a354ad33e928953bdb1db537 1901 1900 2009-08-21T18:42:34Z PharaohsVizier 29 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. Note: if you are using your ipod with a Mac, your note files might not do anything. If this happens please say so on irc. # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm | #2 | |} ac00a72d8e2dd47e5b2547c779e57c903da4ccf7 1902 1901 2009-08-21T19:19:02Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. Note: if you are using your ipod with a Mac, your note files might not do anything. If this happens please say so on irc. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm | #2 | |} 36d6197d8650dc9d7f4d0b314091c93120aa5be4 1903 1902 2009-08-21T19:23:19Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. Note: if you are using your ipod with a Mac, your note files might not do anything. If this happens please say so on irc. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | |} c73b1fa4e7e1172f949edaebb278ec7b251de909 1904 1903 2009-08-21T21:56:23Z TheSeven 13 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. Note: if you are using your ipod with a Mac, your note files might not do anything. If this happens please say so on irc. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | Not exploitable, as the bug seems to be fixed. |- | farthen | 4G Nano | 1.0.3 | Mac | All | Not exploitable for some unknown reason. | |} a0ea8a83b797b92c976563e2bbf7a91598c3e851 1905 1904 2009-08-21T21:56:59Z TheSeven 13 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. Note: if you are using your ipod with a Mac, your note files might not do anything. If this happens please say so on irc. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug seems to be fixed. |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable for some unknown reason. |} 8aa793a18a28628bb031e49ae711932c33e4f39e 1906 1905 2009-08-21T23:19:23Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Possible problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug seems to be fixed. |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable for some unknown reason. |} 2ae98efe1ee6170c355896833666818079ecb8fc 1907 1906 2009-08-21T23:32:28Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug seems to be fixed. |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable for some unknown reason. |} 105d0917eadf80d4f0f3c7523fb4cc7bd6e31df5 1908 1907 2009-08-21T23:33:41Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |} e11ab0c4b704919ffc6aff730e891c832e326920 1909 1908 2009-08-21T23:37:20Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == If you leave an entry in here, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |} b4bfba6f9eff99112d9fdb2fc66bb2c4192262a4 1913 1909 2009-08-22T01:10:50Z Superandy 22 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki page (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of non-#1 behaviors == If you leave an entry in here, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song | Pretty cool |} 8fe11cfa7e38c5f9d694c40d55124e159a27d0f3 1921 1913 2009-08-22T15:06:06Z Cmwslw 1 added tested files table wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song | Pretty cool |} 9cfc51ff13b975d074b5054852d5fbeacfd2d7e6 1922 1921 2009-08-22T15:20:07Z Cmwslw 1 wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song | Pretty cool |} b95a67759f44c9010762c3629ba81cae2522b307 1923 1922 2009-08-22T18:02:02Z Jwnordquist 31 /* Table of non-#1 behaviors */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm | #2 | ... testing |} fa6b9834aca54d541c396f047aeff5746224a306 1924 1923 2009-08-22T18:04:51Z Jwnordquist 31 /* Table of non-#1 behaviors */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm a08010304.htm | #2 | ... testing |} f5a48a0b9023841be4daa26ad9395b8d33fcd528 1925 1924 2009-08-22T18:41:05Z Watto 32 /* Table of tested files */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |- | James Watkins | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm ||} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm a08010304.htm | #2 | ... testing |} 335b2f592a8cbcdc608d2855a257d73791298192 1926 1925 2009-08-22T18:42:16Z Watto 32 /* Table of tested files */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |- | James Watkins | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm a08010304.htm | #2 | ... testing |} c8c048c50dfea48101ba124fc14f12b3a90684dc 1927 1926 2009-08-22T18:48:58Z Watto 32 /* Table of tested files */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm a08010304.htm | #2 | ... testing |} 39ffad7ccd1e6d9b563179eb1d95891b1675159d 1928 1927 2009-08-22T18:54:53Z N00b81 33 /* Table of non-#1 behaviors */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm a08010304.htm | #2 | ... testing |} 726d0c4cace89271cc4929b188615b1dc42832e6 1929 1928 2009-08-22T19:14:33Z Jwnordquist 31 /* Table of non-#1 behaviors */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | will continue testing tomorrow. left off at a08011904.htm |} 4dc87168b7c9ea41e380222811a6eff25b6f4b5b 1931 1929 2009-08-22T19:27:47Z Jwnordquist 31 /* Table of non-#1 behaviors */ wikitext text/x-wiki The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | will continue testing tomorrow. left off at a08011904.htm |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | will continue testing tomorrow. left off at a08011904.htm |} c4070d90f6dc98cfe0cf215ffcc0080e7b5ac301 1939 1931 2009-08-22T20:29:49Z Cmwslw 1 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | will continue testing tomorrow. left off at a08011904.htm |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | will continue testing tomorrow. left off at a08011904.htm |} 8f00d0f9da052008d85aa920aed33ba2d2f3539b 1941 1939 2009-08-22T21:35:39Z Farthen 28 /* Table of non-#1 behaviors */ Added my (quite unimportant) bits of today wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | will continue testing tomorrow. left off at a08011904.htm |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | will continue testing tomorrow. left off at a08011904.htm |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |} 245cc70fa171ee3746f0a626931c970aecb17f50 1944 1941 2009-08-23T00:56:42Z Cmwslw 1 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | will continue testing tomorrow. left off at a08011904.htm |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | will continue testing tomorrow. left off at a08011904.htm |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |} 2893bc4c5c179e2599d6b6c4ea569a37aa4b8d0f 1951 1944 2009-08-23T02:03:28Z Jwnordquist 31 /* Table of non-#1 behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |} 13ea9a11bb9bff098ce2aabc146461c39a7b245b 1956 1951 2009-08-23T02:27:21Z Superandy 22 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |} f0a79c686cad3aee9a677579e58fa68e87605f6c 1957 1956 2009-08-23T02:39:39Z Cmwslw 1 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range == Known problems == Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file. Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers. == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |} 5b12411cfb0e10789461aec867dd2ebb37c70605 0 50 1896 1886 2009-08-21T16:07:57Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: 6G SDRAM is dumped and correct return address was found. Now looking at 6.5G and 3G Nano. Also need to work on NAND drivers.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] '''If you want to help, best you could do now is visiting:''' [[Address bruteforcing]] a279699af063774763cf687a9d2e78fa6164b9d9 1912 1896 2009-08-21T23:52:36Z Cmwslw 1 status update wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Apple patched notes buffer overflow, working on NAND driver and finding other return addresses.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] '''If you want to help, best you could do now is visiting:''' [[Address bruteforcing]] 911c387311829db0b63bcb60d9a607084abc5e02 1932 1912 2009-08-22T19:57:38Z Jwnordquist 31 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Apple patched notes buffer overflow, working on NAND driver and finding other return addresses.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] '''If you want to help, best you could do now is visiting:''' [[Address bruteforcing]] ipodlinux.org archive----> http://web.archive.org/web/20071214010046/ipodlinux.org/Main_Page <------ e6893cffb2450f24ec064826330648326b9fd6e7 1933 1932 2009-08-22T20:06:24Z Jwnordquist 31 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Apple patched notes buffer overflow, working on NAND driver and finding other return addresses.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] '''If you want to help, best you could do now is visiting:''' [[Address bruteforcing]] ipodlinux.org archive----> http://web.archive.org/web/20071214010046/ipodlinux.org/Main_Page <------6499476 63357ab21a4e392b3019f64ec615d2e031960f99 1943 1933 2009-08-23T00:52:38Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Apple patched notes buffer overflow, working on NAND driver and finding other return addresses.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] [http://web.archive.org/web/20071214010046/ipodlinux.org/Main_Page iPodLinux archive] '''If you want to help, best you could do now is visiting:''' [[Address bruteforcing]] b093b0492746eeef71ce7dca280a77df6bb24e38 1953 1943 2009-08-23T02:05:05Z Cmwslw 1 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Toying with the idea of creating a [[Nanotron 3000]] to auto-bruteforce addresses.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] [http://web.archive.org/web/20071214010046/ipodlinux.org/Main_Page iPodLinux archive] '''If you want to help, best you could do now is visiting:''' [[Address bruteforcing]] 8a61e33793e9738d18c32cbebff1f52fd2efe2f8 2 125 1915 2009-08-22T01:41:59Z Farthen 28 I need a user page ;-) wikitext text/x-wiki Just a summary of me: No programming experience (yet) I have a 4g nano, downgraded to 1.0.3 to help you exploiting the notes ;-) Found out about this project at June 2009. If you have questions to me, just ask on the talk page, on irc or through the mailing list. To link my nick and realname: I'm Finn Wilke. --[[User:Farthen|Farthen]] 01:41, 22 August 2009 (UTC) 663d46266517c051305f33bc92516a31831ea240 1917 1915 2009-08-22T01:47:10Z Farthen 28 wikitext text/x-wiki Just a summary of me: No programming experience (yet) I have a 4g nano, downgraded to 1.0.3 to help you exploiting the notes ;-) Found out about this project at June 2009. If you have questions to me, just ask on the [[User_talk:Farthen|talk page]], on irc or through the mailing list. To link my nick and realname: I'm Finn Wilke. bc907f4495feb636692bc2f630a5e848f8ca1a7a 1918 1917 2009-08-22T01:49:31Z Farthen 28 wikitext text/x-wiki Just a summary of me: No programming experience (yet) I have a 4g nano, downgraded to 1.0.3 to help you exploiting the notes ;-) Found out about this project at June 2009. If you have questions to me, just ask on the [[User_talk:Farthen|talk page]], on irc or through the mailing list. To link my nick and realname: I'm Finn Wilke. I'm from Germany and speak German, English and some French. 8dead7f123050f18642d5e800cf3a376f9f7e3c9 3 126 1916 2009-08-22T01:46:38Z Farthen 28 Created page with 'Feel free to ask questions to me on this page. You can also contact me through mailinglist or irc, see my [[User:Farthen|user page]] for details. --~~~~' wikitext text/x-wiki Feel free to ask questions to me on this page. You can also contact me through mailinglist or irc, see my [[User:Farthen|user page]] for details. --[[User:Farthen|Farthen]] 01:46, 22 August 2009 (UTC) 537d8c31ee7362e0f9c1ca4facb6ddd76bba9471 0 52 1919 1716 2009-08-22T02:06:10Z Farthen 28 Added DFU lsusb -v of nano 4g wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. <pre> Nano 4G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. Nano 3G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1262 Apple, Inc. </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. More verbose output from lsusb run on a Nano 3G in DFU mode : <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple, Inc. idProduct 0x1223 bcdDevice 0.01 iManufacturer 1 Apple Computer, Inc. iProduct 2 USB DFU Device iSerial 3 87020000000001 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 2 iInterface 0 ** UNRECOGNIZED: 09 21 03 0a 00 00 08 00 01 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) </pre> Verbose Output from a Nano 4g in DFU mode: <pre> Bus XXX Device YYY Apple Computer, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.00 bDeviceClass 9 Hub bDeviceSubClass 0 Unused bDeviceProtocol 0 Full speed (or root) hub bMaxPacketSize0 8 idVendor 0x05ac Apple Computer, Inc. idProduct 0x8005 bcdDevice 1.10 iManufacturer 2 iProduct 1 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 10 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x60 (Missing must-be-set bit!) Self Powered Remote Wakeup MaxPower 0mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 Unused bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 8 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 32 can't get hub descriptor: Undefined error: 0 Device Status: 0x0001 Self Powered </pre> ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 1164a0cb1eaa7273f0907d7c35e8850b01531da2 1920 1919 2009-08-22T02:08:57Z Farthen 28 Sorry for this one, used a corrupt lsusb. will redo it tomorrow. wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. <pre> Nano 4G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. Nano 3G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1262 Apple, Inc. </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. More verbose output from lsusb run on a Nano 3G in DFU mode : <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple, Inc. idProduct 0x1223 bcdDevice 0.01 iManufacturer 1 Apple Computer, Inc. iProduct 2 USB DFU Device iSerial 3 87020000000001 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 2 iInterface 0 ** UNRECOGNIZED: 09 21 03 0a 00 00 08 00 01 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) </pre> ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 8929357c3006fcd70405a9e1f3373efbd8849c9e 0 130 1942 2009-08-22T22:27:49Z Cmwslw 1 Created page with 'Because of the immense amount of time it will take to brute force the 3G and the 4G, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing r...' wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. bf962b6089611dc497330d5c48c26ce7daceb137 1945 1942 2009-08-23T01:39:31Z Cmwslw 1 crunched some numbers wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == Time to hold down menu and center buttons to restart: exactly 5 seconds Time to reboot to main menu: 17.5 seconds Time to boot cold to main menu: ~25 seconds (shouldn't be needed) Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it (this is like .25 seconds after Apple logo) I did see 10 seconds once so I guess there might be a last-minute check after the Apple logo Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and play to reboot (5 seconds) # Wait for boot (17.5 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (2.5 seconds) So the amount of time to test one file would take roughly 30.5 seconds. With that time we can test about 2832 files a day. With a 16-byte step (might be better to use 8 bytes?) we could bust through a whopping 45312 bytes a day (0xB100) 78d87af96659926eeb543ff3115aec55163ad2b3 1946 1945 2009-08-23T01:39:55Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == Time to hold down menu and center buttons to restart: exactly 5 seconds Time to reboot to main menu: 17.5 seconds Time to boot cold to main menu: ~25 seconds (shouldn't be needed) Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it (this is like .25 seconds after Apple logo). I did see 10 seconds once so I guess there might be a last-minute check after the Apple logo Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and play to reboot (5 seconds) # Wait for boot (17.5 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (2.5 seconds) So the amount of time to test one file would take roughly 30.5 seconds. With that time we can test about 2832 files a day. With a 16-byte step (might be better to use 8 bytes?) we could bust through a whopping 45312 bytes a day (0xB100) 3b8c799c2ce121e09b8264fa4698d637f1abac9d 1947 1946 2009-08-23T01:40:43Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds *Time to reboot to main menu: 17.5 seconds *Time to boot cold to main menu: ~25 seconds (shouldn't be needed) *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it (this is like .25 seconds after Apple logo). I did see 10 seconds once so I guess there might be a last-minute check after the Apple logo Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and play to reboot (5 seconds) # Wait for boot (17.5 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (2.5 seconds) So the amount of time to test one file would take roughly 30.5 seconds. With that time we can test about 2832 files a day. With a 16-byte step (might be better to use 8 bytes?) we could bust through a whopping 45312 bytes a day (0xB100) d2a52e30efd75c240a80767d80949881f371b47d 1948 1947 2009-08-23T01:43:20Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds *Time to reboot to main menu: 17.5 seconds *Time to boot cold to main menu: ~25 seconds (shouldn't be needed) *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it (this is like .25 seconds after Apple logo). I did see 10 seconds once so I guess there might be a last-minute check after the Apple logo Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and play to reboot (5 seconds) # Wait for boot (17.5 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (2.5 seconds) So the amount of time to test one file would take roughly 30.5 seconds. With that time we can test about 2832 files a day. With a 16-byte step (might be better to use 8 bytes?) we could bust through a whopping 45312 bytes a day (0xB100) We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. 6f44e75db4b2ea57f115b1a67a2ab0f0e3e3050c 1949 1948 2009-08-23T01:46:00Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds *Time to reboot to main menu: 17.5 seconds *Time to boot cold to main menu: ~25 seconds (shouldn't be needed) *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it (this is like .25 seconds after Apple logo). I did see 10 seconds once so I guess there might be a last-minute check after the Apple logo Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and play to reboot (5 seconds) # Wait for boot (17.5 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (2.5 seconds) So the amount of time to test one file would take roughly 30.5 seconds. With that time we can test about 2832 files a day. With a 16-byte step (might be better to use 8 bytes?) we could bust through a whopping 45312 bytes a day (0xB100) We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... 7a9bb6c66f9222236f9fbd4710dbb51d6054e57e 1950 1949 2009-08-23T02:00:00Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and play to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... 2db1eab4095d8a60637e40ed13231ea5577d4594 1954 1950 2009-08-23T02:06:39Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and play to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... 79042a64af7fe90555ee12e2a01623498fa62163 0 130 1958 1954 2009-08-23T03:06:39Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and play to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... If the iPod is frozen, lsusb waits for the iPod to respond for about 30 seconds, but finally finishes after giving up on the iPod. We could use this to determine if the iPod is frozen in our computer-side software. a450d2beee40f57a4501e7c33600016ae251f6f1 1961 1958 2009-08-23T09:38:37Z Farthen 28 small typo fix wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... If the iPod is frozen, lsusb waits for the iPod to respond for about 30 seconds, but finally finishes after giving up on the iPod. We could use this to determine if the iPod is frozen in our computer-side software. 68c34f908af4fc48d53936ee485d042a58d57725 1968 1961 2009-08-23T21:21:30Z Farthen 28 Added my own Nanotron with pictures wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... If the iPod is frozen, lsusb waits for the iPod to respond for about 30 seconds, but finally finishes after giving up on the iPod. We could use this to determine if the iPod is frozen in our computer-side software. == Nanotrons == === Farthen === My Nanotron-3000 is most propably the first one created ever. It took one full day to build. As of this writing, software isn't written for it so it lies around. But soon I'll wake it up and it starts with his work. [[File:Nanotron-3000-farthen-1.jpg|thumb|left]] [[File:Nanotron-3000-farthen-2.jpg|thumb|right]] 247a2110e48c436cc55fd8a664f69eef5e20be51 1969 1968 2009-08-23T21:33:13Z Farthen 28 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... If the iPod is frozen, lsusb waits for the iPod to respond for about 30 seconds, but finally finishes after giving up on the iPod. We could use this to determine if the iPod is frozen in our computer-side software. == Nanotrons == === Farthen === My Nanotron-3000 is most propably the first one created ever. It took one full day to build. As of this writing, software isn't written for it so it lies around. But soon I'll wake it up and it starts with his work. [[File:Nanotron-3000-farthen-1.jpg|thumb|left]] [[File:Nanotron-3000-farthen-2.jpg|thumb|right]] ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor slot 1 and faced in direction of the screen. * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction 555dc19a84210aa3b666c80d1cfff770994544c9 1971 1969 2009-08-24T02:30:50Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === My Nanotron-3000 is most propably the first one created ever. It took one full day to build. As of this writing, software isn't written for it so it lies around. But soon I'll wake it up and it starts with his work. [[File:Nanotron-3000-farthen-1.jpg|thumb|left]] [[File:Nanotron-3000-farthen-2.jpg|thumb|right]] ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor slot 1 and faced in direction of the screen. * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction d63b38c2702841041e990a09cbd94be2bb39e248 1977 1971 2009-08-24T18:57:58Z TheSeven 13 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|thumb|left]] [[File:Nanotron-3000-farthen-2.jpg|thumb|right]] My Nanotron-3000 is most propably the first one created ever. It took one full day to build. As of this writing, software isn't written for it so it lies around. But soon I'll wake it up and it starts with his work. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor slot 1 and faced in direction of the screen. * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|thumb|left]] [[File:Nanotron2G-TheSeven-2.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-3.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-4.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-5.jpg|thumb|left]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to boot a nano to disk mode controlled by a PC). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C ca84b8ef5ef2266a95cc4cbb4b0db693b02de32d 1988 1977 2009-08-27T13:09:25Z TheSeven 13 /* TheSeven */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|thumb|left]] [[File:Nanotron-3000-farthen-2.jpg|thumb|right]] My Nanotron-3000 is most propably the first one created ever. It took one full day to build. As of this writing, software isn't written for it so it lies around. But soon I'll wake it up and it starts with his work. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor slot 1 and faced in direction of the screen. * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|thumb|left]] [[File:Nanotron2G-TheSeven-2.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-3.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-4.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-5.jpg|thumb|left]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C eb3bf3df8cff6e25bb776c97443056b84a040e9f 1989 1988 2009-08-27T20:32:12Z 85.176.158.185 0 /* Farthen */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|thumb|left]] [[File:Nanotron-3000-farthen-2.jpg|thumb|right]] My Nanotron-3000 is most propably the first one created ever. It took one full day to build. It's still not perfect. The motors don't do what they should do. I think i need to rebuild it ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor slot 1 and faced in direction of the screen. * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|thumb|left]] [[File:Nanotron2G-TheSeven-2.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-3.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-4.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-5.jpg|thumb|left]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C 7f689c598af50285325821d9a5751cfaa92e494e 1991 1989 2009-08-28T00:00:20Z 85.176.190.95 0 /* Farthen */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|thumb|left]] [[File:Nanotron-3000-farthen-2.jpg|thumb|right]] My Nanotron-3000 is most propably the first one created ever. It took one full day to build. It's working now completely and bruteforcing addresses at the moment. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor slot 1 and faced in direction of the screen. * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|thumb|left]] [[File:Nanotron2G-TheSeven-2.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-3.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-4.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-5.jpg|thumb|left]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C 92e5b4481785dbcc2c8882f3dbb39fcd93de151f 1992 1991 2009-08-28T00:01:20Z 85.176.190.95 0 /* Farthen */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|thumb|left]] [[File:Nanotron-3000-farthen-2.jpg|thumb|right]] My Nanotron-3000 is most propably the first one created ever. It took one full day to build. It's working now completely and bruteforcing addresses at the moment. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|thumb|left]] [[File:Nanotron2G-TheSeven-2.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-3.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-4.jpg|thumb|right]] [[File:Nanotron2G-TheSeven-5.jpg|thumb|left]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C fc134069f17e22c53b91662416e5abcc8d2522c0 2001 1992 2009-08-29T02:34:51Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|thumb|left|50px]] [[File:Nanotron-3000-farthen-2.jpg|thumb|right|50px]] My Nanotron-3000 is most propably the first one created ever. It took one full day to build. It's working now completely and bruteforcing addresses at the moment. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|thumb|left|50px]] [[File:Nanotron2G-TheSeven-2.jpg|thumb|right|50px]] [[File:Nanotron2G-TheSeven-3.jpg|thumb|right|50px]] [[File:Nanotron2G-TheSeven-4.jpg|thumb|right|50px]] [[File:Nanotron2G-TheSeven-5.jpg|thumb|left|50px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|thumb|left|50px]] [[File:IMG_0017.JPG|thumb|right|50px]] [[File:IMG_0018.JPG|thumb|left|50px]] [[File:IMG_0019.JPG|thumb|right|50px]] [[File:IMG_0020.JPG|thumb|left|50px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. 8fa9c0242f63087d40beffd0fa296aaca85a4dff 2002 2001 2009-08-29T02:39:09Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] My Nanotron-3000 is most propably the first one created ever. It took one full day to build. It's working now completely and bruteforcing addresses at the moment. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. 91ea64255ea66b79d250aba426a10dd35f0c6e52 2003 2002 2009-08-29T15:53:15Z 85.176.165.21 0 /* Farthen */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] My Nanotron-3000 is most propably the first one created ever. It took one full day to build. It's having some mechanical problems though and i don't know if i can leave it as it is now. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. e36ad4febd5a5247ac604d0fe114f103a8902bb1 0 122 1959 1957 2009-08-23T03:18:56Z Cmwslw 1 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |} 63d13031d7fa8cf8b007e8508fb1f9c4d20a3aa9 1962 1959 2009-08-23T11:53:40Z 3mpty 15 nick fixed (I use "empty" only on IRC) wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |} 97021b353cd0e59d8e2a1e64c3ed92c55af306a2 1963 1962 2009-08-23T17:30:23Z Watto 32 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |} 3b058ed26fb18838f42fa620ed8cb16fad21a306 1964 1963 2009-08-23T18:00:49Z Watto 32 /* Table of non-#1 behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #2 | |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |} 2b9aee77c081c2c1fcf6a622351e7ba608d68995 1965 1964 2009-08-23T19:54:00Z Jwnordquist 31 /* Table of non-#1 behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010104.htm, a08010304.htm, a08010604.htm, a08010704.htm, a08010804.htm, a08010904.htm, a08010a04.htm, a08010b04.htm, a08010c04.htm, a08011004.htm, a08011104.htm, a08011504.htm, a08011604.htm, a08011704.htm, a08011804.htm | #1 | |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |} fb5e672b8028f72cbd94e872d22cbe06200b0c89 1970 1965 2009-08-23T22:32:23Z Superandy 22 /* Table of non-#1 behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |} == Table of non-#1 behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |} b669504c1db3b838ba7e3c452fb80159a7ff0456 1979 1970 2009-08-25T03:43:54Z Kylemsguy 26 /* Table of non-#1 behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |} 7b7f566e6d7e9fa2849f5e51c5e8b30c77eac6d4 1980 1979 2009-08-25T04:05:54Z Kylemsguy 26 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |} 37890ae0c9068bf132fe936b8e7b374e12d34269 1981 1980 2009-08-26T00:57:26Z Kylemsguy 26 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #1 (for the freeze sweep file), #4 (for the crash sweep file) | The results for the sweep files were switched (i.e. freeze for crash file, crash for freeze file) |} fc9168d823d78660e6abbbed414e4bcc4ff6879c 1982 1981 2009-08-26T01:17:11Z Kylemsguy 26 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 0b88e778f7f1fe6e2dfdfd244e4be7ca3eb779d1 1983 1982 2009-08-26T01:22:16Z Kylemsguy 26 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 20ecabedabb07c412a8bca52fa18ff261ba354f0 1984 1983 2009-08-26T01:25:31Z Kylemsguy 26 /* Setup */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} d527de253055b09985c15b10e2b2d51cc82b6fd2 1985 1984 2009-08-27T02:07:06Z ClueX 35 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (Both #1) |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 68b6efb27ccee112488f9e9ad1fa66319515db11 1986 1985 2009-08-27T02:11:42Z ClueX 35 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 749eff95192fdafb4d30e88c615120f0c032e399 1987 1986 2009-08-27T04:02:54Z Kylemsguy 26 /* Known problems */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3604.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 1cc4c2c2836bd16be8cb12d46b8f747ec24e6689 1990 1987 2009-08-27T23:28:32Z TheSeven 13 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 8833ea541fe9fd8b3f3fc132ac0b02282ff8550c 1993 1990 2009-08-28T03:48:23Z Kylemsguy 26 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4g Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1103.htm | a080d2f04.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} fa57b63f73fbf2ffc93fb3766990672fe53e9300 1994 1993 2009-08-28T03:48:46Z Kylemsguy 26 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1103.htm | a080d2f04.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 84d9b8f57d474f999c0e33e7f4be6740493edc95 1995 1994 2009-08-28T18:31:19Z Kylemsguy 26 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 7f6fc163eba119c49cea721f43d5fbb28a1a1e5b 2004 1995 2009-08-29T17:54:02Z Eosphere46 36 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that freezes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} c2fd3b9f6fccc6554f5cb9e0a56a9635dab4b7d4 2005 2004 2009-08-29T19:05:27Z Kylemsguy 26 /* Steps */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 0606553f160985277213e0f3adfd9bc143750ff7 2006 2005 2009-08-29T19:36:37Z Eosphere46 36 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 635cd0c59a7a43bd38bdf5769c4032ab573b2f17 2007 2006 2009-08-29T19:39:22Z Eosphere46 36 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} 4552eb2bbc2aed70a9042a77909add4a053c4638 2008 2007 2009-08-29T19:39:52Z Eosphere46 36 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |} ecbc6b12769828d074c631e086231393912f0eb1 2009 2008 2009-08-29T19:42:50Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new worthwhile features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |} b7666efb41fc34630ab7977edce9f84456be0ad5 6 131 1966 2009-08-23T21:11:45Z Farthen 28 This is my nanotron that will help us to do more address bruteforcing in less time. wikitext text/x-wiki This is my nanotron that will help us to do more address bruteforcing in less time. 0a8d127a41116f810d80f7d2e6647e1db689c126 6 132 1967 2009-08-23T21:12:53Z Farthen 28 Second picture of my Nanotron-3000. wikitext text/x-wiki Second picture of my Nanotron-3000. 9db725e0226aef759182f0a4c16d1f53ae231e57 6 133 1972 2009-08-24T18:44:44Z TheSeven 13 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 134 1973 2009-08-24T18:44:51Z TheSeven 13 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 135 1974 2009-08-24T18:44:58Z TheSeven 13 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 136 1975 2009-08-24T18:45:07Z TheSeven 13 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 137 1976 2009-08-24T18:45:12Z TheSeven 13 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 138 1996 2009-08-29T02:20:10Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 139 1997 2009-08-29T02:20:40Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 140 1998 2009-08-29T02:21:03Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 141 1999 2009-08-29T02:21:28Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 142 2000 2009-08-29T02:21:41Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 122 2012 2009 2009-08-29T21:04:48Z Kylemsguy 26 /* Known problems */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080a7f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b0104.htm | a080b3f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |} 41f2d402b689cd1e5c05bb23226916c924045f83 2014 2012 2009-08-30T14:51:27Z Watto 32 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |} 845d812dc1fdda9c360d19131240510ebdcf399b 2021 2014 2009-09-02T22:54:59Z Tucenaber 38 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08017f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |} 9696369cee933aa1039b5ca3cece241b674e8961 2022 2021 2009-09-03T04:00:38Z Tucenaber 38 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08017f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm | #2 | Have not tested sweepcrash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm | #4 | Have not tested sweepcrash files |} 16ff855febede58b4112a26d663df52c2cb30eed 2023 2022 2009-09-03T04:02:24Z Tucenaber 38 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08017f04.htm | Tested with sweepfreeze |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm | #2 | Have not tested sweepcrash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm | #4 | Have not tested sweepcrash files |} 7d5c90f4609eb312cf6d0e4af6b7ac696d4e23ad 2024 2023 2009-09-03T04:12:45Z Tucenaber 38 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08017f04.htm | Tested with sweepfreeze |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08020104.htm | a08027f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm | #2 | Have not tested sweepcrash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm | #4 | Have not tested sweepcrash files |} 8680fdbd5f2a859257c0c67ee3a688708c2667c6 2027 2024 2009-09-03T20:11:42Z Tucenaber 38 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested with sweepfreeze |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm | #2 | Have not tested sweepcrash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm | #4 | Have not tested sweepcrash files |} 58cfacc48288b5ab0a4176dd2bd1ba01dfa7b7e8 2028 2027 2009-09-03T20:13:12Z Tucenaber 38 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested with sweepfreeze |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Have not tested sweepcrash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm a08020d04.htm a08026104.htm a08026604.htm a08027704.htm | #4 | Have not tested sweepcrash files |} 43971475e600b9132ef3cf89e636cc3081047147 2029 2028 2009-09-04T00:16:11Z Tucenaber 38 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested with sweepfreeze |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |} 381fe0136e9810cf7363916f4e29f623c102c667 2031 2029 2009-09-04T21:59:30Z Tucenaber 38 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |} d2ee9cadd4f2ee4125080ab41293d07b1b7558fe 2032 2031 2009-09-04T22:09:04Z Tucenaber 38 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080b0104.htm | a080b7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |} 11d2088ac171d903fb1798af8c22a4e147b2226f 2033 2032 2009-09-05T17:08:32Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080b0104.htm | a080b7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |} 9c6fedd191c2b15d9e292a86f8b2624c3a836bb2 2034 2033 2009-09-05T17:16:21Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080b0104.htm | a080b7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |} 6db6a2bc62548a94ec8a3ab05ba5144c749e3a55 2035 2034 2009-09-05T17:48:46Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080b0104.htm | a080b7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. |} 381c05bbb4611659de3c6f7297f944cf253f4c49 2036 2035 2009-09-05T17:55:06Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080b0104.htm | a080b7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} 2e811f738912a1c1b0965a4cbc72fd7b50b550a8 2037 2036 2009-09-05T18:06:43Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080b0104.htm | a080b7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} b07d5b67915e568137a0c103aa58f21fb9286613 2038 2037 2009-09-05T18:16:49Z Tucenaber 38 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} c83e37823401b763eaf0404225a3f3535ba033d5 2039 2038 2009-09-05T18:26:07Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} 550467f66bce0c10f28de18a1b0d13d5b96ed52d 2040 2039 2009-09-05T18:34:12Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} ccdd1277a96917bd43633f2e219b9ce927f887ec 2041 2040 2009-09-05T18:41:25Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} 0c1d5fda96e8ded7903fadae0441f1250f24450e 2042 2041 2009-09-05T18:48:47Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} 091763d2b740454f2c3b1de50910af445e435bb0 2043 2042 2009-09-05T18:58:32Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} 9f6c5dfbbceaa46678121f9b393933fe21edaf63 2044 2043 2009-09-05T19:03:35Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} 251ef1fb5df8c3b0ed64b7fb8318a9c9667a07b5 2045 2044 2009-09-05T19:11:56Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |} ab1cfab7ad1c14d5950f84eb6fd99efdcab8a30b 2046 2045 2009-09-05T19:37:00Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. bc858fdf3a65daf68bf144df86b22a8e14e50325 2047 2046 2009-09-05T19:37:23Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. |} 316f3a2467099c2461e02857c7e69afd4e47effa 2048 2047 2009-09-05T19:42:55Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} bcf2eaf3fa9710f618a0ae4ab2f140e2df6dd3f5 2049 2048 2009-09-05T19:58:07Z Eosphere46 36 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 599656efe74a4c85589639aeaaca52432ad1eb77 2050 2049 2009-09-05T20:19:24Z Eosphere46 36 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5004.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a5104.htm |a080a5904.htm |Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 5b192ab0fd31679c3585fff6a8f14b7d4a1bbe6b 2051 2050 2009-09-05T20:20:01Z Eosphere46 36 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 7c118ac65ab2a5a83aaff4e06b57b2866b9619d7 2052 2051 2009-09-05T20:20:56Z Eosphere46 36 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} daaa603a8d8af8dbf1c5ebfe28ebc3a74387ed64 2053 2052 2009-09-05T20:29:10Z Eosphere46 36 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 2a7ed9544d52396e8c4e86fc7342d6281d5916b4 2056 2053 2009-09-05T21:48:52Z Eosphere46 36 /* Table of non-#1 (or non-#4) behaviors */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 75a80a442e04cf1314dff0a88386b0e84f648937 2073 2056 2009-09-07T23:05:09Z BlackLotus 40 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 6525df2567bb39c2c3ac507baf2b8e906790ff8a 0 130 2013 2003 2009-08-30T11:10:16Z 85.176.175.174 0 /* Farthen */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. 72cef0cc1be1617d820e3faa7a58967f126b803d 2017 2013 2009-09-02T00:02:06Z Kylemsguy 26 /* Cable connected */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (6 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. 8097831569900227ef0b220ba39479e3bb82f43a 2018 2017 2009-09-02T01:38:58Z Cmwslw 1 Reverted edits by [[Special:Contributions/Kylemsguy|Kylemsguy]] ([[User talk:Kylemsguy|Talk]]) to last version by [[User:85.176.175.174|85.176.175.174]] wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. 72cef0cc1be1617d820e3faa7a58967f126b803d 0 50 2015 1953 2009-08-31T23:17:26Z TheSeven 13 Update wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Firmware encryption (Nano 2G) cracked, first Nanotron up and running. Working on 2G NAND now.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] [http://web.archive.org/web/20071214010046/ipodlinux.org/Main_Page iPodLinux archive] b6e8bec80dd5e0f1d88c1a023dd27f195a7cfeaf 2019 2015 2009-09-02T10:52:21Z TheSeven 13 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Firmware encryption (Nano 2G) cracked, first Nanotron up and running. 2G NAND running, working on FTL.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] [http://web.archive.org/web/20071214010046/ipodlinux.org/Main_Page iPodLinux archive] 6245a2ada0f675e2cf0996810fdeb8ac2d62d379 2058 2019 2009-09-06T01:36:20Z Jwnordquist 31 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Firmware encryption (Nano 2G) cracked, first Nanotron up and running. 2G NAND running, working on FTL.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] ipodlinux.org will be up and running on the 8th!!! [http://web.archive.org/web/20071214010046/ipodlinux.org/Main_Page iPodLinux archive] c4e07098eb4fe0d29b6f77044f8b9630a7cfa735 2064 2058 2009-09-06T02:41:47Z TheSeven 13 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Firmware encryption (Nano 2G) cracked. 2G NAND running, FTL currently read-only.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] ipodlinux.org will be up and running on the 8th!!! [http://web.archive.org/web/20071214010046/ipodlinux.org/Main_Page iPodLinux archive] 03e951cbac7690ae689c7428553c1025a1a30e29 2066 2064 2009-09-06T03:09:57Z TheSeven 13 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Firmware encryption (Nano 2G) cracked. 2G NAND running, FTL currently read-only.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 4900c0ac4f5d0412fdfb2f463e7c79d560d3c421 2067 2066 2009-09-06T03:17:04Z Cmwslw 1 Changed protection level for "[[Main Page]]" ([edit=sysop] (indefinite) [move=sysop] (indefinite)) wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: Firmware encryption (Nano 2G) cracked. 2G NAND running, FTL currently read-only.''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 4900c0ac4f5d0412fdfb2f463e7c79d560d3c421 2070 2067 2009-09-06T20:41:04Z TheSeven 13 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: We have a working bootloader for Nano 2G!''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 258f454e4213f12c0b1b0e75dcc76d2eaff00edf 0 121 2016 1878 2009-08-31T23:18:01Z TheSeven 13 Update wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In Progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 6eaedb1298987ab9a5cc065f7e632f079fc7acb8 2020 2016 2009-09-02T10:53:00Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''RAW (no FTL yet)'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 4d478274d9c3cc513f3dd4f3910790d8e08e59cf 2030 2020 2009-09-04T13:11:34Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''RAW (no FTL yet)'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''Yes? Need to verify'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 7d172d720029480ca7414e5ddc5f12a869ba2394 2055 2030 2009-09-05T21:42:33Z Eosphere46 36 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''RAW (no FTL yet)'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 4d478274d9c3cc513f3dd4f3910790d8e08e59cf 2063 2055 2009-09-06T02:41:01Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 39cd5298f8871567d1da6db66d1263019235b497 2071 2063 2009-09-06T20:41:50Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} c2e639c26cb89165bdb5d635747b2d7de6d27595 6 145 2074 2009-09-08T03:23:29Z TheSeven 13 How the iLoader menu looks like on an iPod Nano 2G (rendered) wikitext text/x-wiki How the iLoader menu looks like on an iPod Nano 2G (rendered) ec6c7d8842decc833bef1a89092b8be27c10df21 0 116 2075 1808 2009-09-08T03:27:57Z TheSeven 13 wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/1m6Kyr here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger ===Rockbox bootloader=== [[File:Img9088.jpg|150px|thumb|right|2G Rockbox bootloader]] Rockbox developers have started work on porting Rockbox to the Nano2G and it is currently possible to run a Rockbox bootloader (still in a very early state) inside iBugger (picture shown to the right). As iBugger needs a connection to a PC, Rockbox will be booted through [[iLoader]] in the long term. e49b67731b54d2bbe750c7b8c5e5f82c08b1e892 2109 2075 2009-09-12T12:44:35Z TheSeven 13 wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/34JG5x here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger ===Rockbox bootloader=== [[File:Img9088.jpg|150px|thumb|right|2G Rockbox bootloader]] Rockbox developers have started work on porting Rockbox to the Nano2G and it is currently possible to run a Rockbox bootloader (still in a very early state) inside iBugger (picture shown to the right). As iBugger needs a connection to a PC, Rockbox will be booted through [[iLoader]] in the long term. 86b3c0814902b6e0ff239f104e32eade62d845ec 2123 2109 2009-09-13T16:39:27Z TheSeven 13 wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger ===Rockbox bootloader=== [[File:Img9088.jpg|150px|thumb|right|2G Rockbox bootloader]] Rockbox developers have started work on porting Rockbox to the Nano2G and it is currently possible to run a Rockbox bootloader (still in a very early state) inside iBugger (picture shown to the right). As iBugger needs a connection to a PC, Rockbox will be booted through [[iLoader]] in the long term. 07760eade07aa3ebc68475d90e7f5caa5fb47a38 0 146 2076 2009-09-08T04:14:00Z TheSeven 13 Created page with '[[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long te...' wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Right button: Boot rockbox (/iLoader/rockbox.bin) * Play button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/ipod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use RohPod, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. ac46b76220d04610b4c5226a822635787f39d7e5 2082 2076 2009-09-08T12:16:13Z 213.142.101.100 0 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/ipod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use RohPod, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. b23ae6276476f2c2aabbf1ad1c2212507c0cc53d 2083 2082 2009-09-08T13:49:29Z Cmwslw 1 Protected "[[ILoader]]" ([edit=autoconfirmed] (indefinite) [move=autoconfirmed] (indefinite)) wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/ipod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use RohPod, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. b23ae6276476f2c2aabbf1ad1c2212507c0cc53d 2091 2083 2009-09-08T14:06:14Z TheSeven 13 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/ipod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use RohPod, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. 0536b490d04e00c08cfa085bd70ca8e74b06ed03 2093 2091 2009-09-09T14:35:48Z Farthen 28 fixed link wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use RohPod, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. 890f43e48a528f5f786fd9e247ff754e9d1c2982 2099 2093 2009-09-10T14:44:15Z TheSeven 13 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. fb02ee4dfa5d9971275e13f11c8c5f6ac49f766e 2101 2099 2009-09-11T22:18:17Z TheSeven 13 /* Skinning iLoader */ wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. cfb9f21c492722460fa6c083a732716361bb9cd9 2103 2101 2009-09-12T00:43:50Z TheSeven 13 wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''NOTICE: Anyone who has landed here thinking that Linux is already running on the new Nanos, this is not yet the case! Some ignorant Hackaday author has started this rumor.''' </div> [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. c2a6389e9b90560f16a7a28c542c5bc8ee2b69d5 2105 2103 2009-09-12T04:01:20Z TheSeven 13 /* Known Issues */ wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''NOTICE: Anyone who has landed here thinking that Linux is already running on the new Nanos, this is not yet the case! Some ignorant Hackaday author has started this rumor.''' </div> [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. 81168f6fe024876355aa757b4766954844a48769 2106 2105 2009-09-12T04:02:04Z TheSeven 13 /* Known Issues */ wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''NOTICE: Anyone who has landed here thinking that Linux is already running on the new Nanos, this is not yet the case! Some ignorant Hackaday author has started this rumor.''' </div> [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/1m6Kyr here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. 4cdc428af503a90446ae5684e95fb488e28c2b33 2108 2106 2009-09-12T12:44:10Z TheSeven 13 wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''NOTICE: Anyone who has landed here thinking that Linux is already running on the new Nanos, this is not yet the case! Some ignorant Hackaday author has started this rumor.''' </div> [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/34JG5x here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. 02d18e470dccd9222b8c93bb20e83246027327ff 2113 2108 2009-09-13T02:56:14Z Charllee 48 Hackaday has added a correction, so any of us who follow the link are already aware that we cannot get Linux on our Nanos wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/34JG5x here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. dde9fe309cea2bc4570b31246f0fd118eb3875c0 2124 2113 2009-09-13T16:39:57Z TheSeven 13 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. a422d200e8f88e8bda765b1b618f14980c8b2966 2125 2124 2009-09-13T16:46:03Z TheSeven 13 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. dc067e13d8b6ad0c9ea2a4b39337118240f9b9fd 2126 2125 2009-09-13T16:46:20Z TheSeven 13 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work when iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. de9dcc57001e53695443290f6f796dc8b0c3765b 2127 2126 2009-09-13T16:46:51Z TheSeven 13 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. 6a6b009af6f5781fc89a275d27344dce08fedc8b 2158 2127 2009-09-15T05:26:03Z Pat loonytoon 49 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/Talk:ILoader_Themes Themes] a7f67b7ce1f37c43bcba2e3e1ff5d0a8676d4ea9 2161 2158 2009-09-15T08:03:37Z Pat loonytoon 49 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] be6b6327de6a16c0040dae6eaacc02a2a702a13b 2162 2161 2009-09-15T08:52:44Z Fergofrog 43 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). 41d04d0efc668e05cbaf5a1ac345f8d0cc669cee 2163 2162 2009-09-15T12:01:12Z Cmwslw 1 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). ef7301160e347daea79d3e68094d213e8cf44ac6 2164 2163 2009-09-15T12:03:46Z Cmwslw 1 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. If someone wants to make an automated installer for this, either on Linux, Mac, or Windows, feel free. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). 46fcb5177b63c4e119f2b610b9e5fc855184b8b2 0 50 2077 2070 2009-09-08T04:14:25Z TheSeven 13 wikitext text/x-wiki [[File:rb_bootloader_upright.jpg|150px|thumb|right|Tethered RB bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: We have a working [[iLoader|bootloader for Nano 2G]]!''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 98f8e341013b189f1a9a17aff5497762b55c2464 2081 2077 2009-09-08T12:12:49Z Cmwslw 1 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|Untethered multi-bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: We have a working [[iLoader|bootloader for Nano 2G]]!''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 348e48d5feb23fa59f53082b30e1915d8d323cea 2092 2081 2009-09-08T14:38:27Z Cmwslw 1 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|Untethered multi-bootloader (real deal, not a concept)]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: We have a working [[iLoader|bootloader for Nano 2G]]!''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] d3ac5fa409cdd2b7873a6855d567e567c8484e15 2102 2092 2009-09-12T00:34:59Z Cmwslw 1 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|Untethered multi-bootloader (real deal, not a concept)]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: We have a working [[iLoader|bootloader for Nano 2G]]!''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. NOTICE: Anyone who has landed here thinking that Linux is running on the new Nanos, you are wrong! Some ignorant Hackaday author has started this rumor. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 68311293953f04e46ab7c7117e223c309478ba27 2104 2102 2009-09-12T00:44:04Z TheSeven 13 wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''NOTICE: Anyone who has landed here thinking that Linux is already running on the new Nanos, this is not yet the case! Some ignorant Hackaday author has started this rumor.''' </div> [[File:iloader.png|150px|thumb|right|Untethered multi-bootloader (real deal, not a concept)]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: We have a working [[iLoader|bootloader for Nano 2G]]!''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 186315d00b8db22631cdb765f6a4686a291a6fd1 0 130 2079 2018 2009-09-08T10:13:49Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior 08e13e7d2c77d35e299e5f2aad8f755a3a763043 0 122 2095 2073 2009-09-09T19:07:53Z Bene 41 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | bene | 3G Nano | 1.1.3 | Windows | a080e8004.htm | a080e9f04.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} fe9dca4eef881443eaa36e51b4a530d118b5e301 2096 2095 2009-09-09T19:12:34Z Bene 41 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Reserved |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 6525df2567bb39c2c3ac507baf2b8e906790ff8a 2112 2096 2009-09-12T18:16:55Z Tucenaber 38 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 6870fcf6ea0ccfec6018898cccecdde30f5d7262 2128 2112 2009-09-13T18:51:34Z Cmwslw 1 /* Known problems */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/?p=29 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} b4a1aa7bb30b654e358d32b6ff45140ddcb1a62e 0 121 2097 2071 2009-09-10T01:03:02Z Interpolarity 42 Added new ipods wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic (aka 6.75G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 4377cbff5feb55d29ae480d0ede293df043efd3c 2129 2097 2009-09-13T23:19:44Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made and ported to Rockbox. As of August 2, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader !! Rockbox !! Linux |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work'''</span> | <span style="color:red">'''No'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic (did it change?) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 5d24a726569e0b14e9cc5e9b9a6b9171c0a41be5 2130 2129 2009-09-13T23:21:01Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 14, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader !! Rockbox !! Linux |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work'''</span> | <span style="color:red">'''No'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic (did it change?) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 9d3cd2a05c2bebc62278dc4065aaffd33402b53b 2133 2130 2009-09-14T11:45:00Z Interpolarity 42 let's keep it professional... leave comments for the discussion page wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 14, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader !! Rockbox !! Linux |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work'''</span> | <span style="color:red">'''No'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 8ab4069df40ec0f074617d2876dd93a2c738d50e 0 57 2134 1637 2009-09-14T22:52:27Z Mcd1992 51 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> Also if you are using the osos.fw outputted by extract2g in iLoader you need to do the following to it first: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1<pre> Then put osos.out into /iLoader/osos.fw ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware a7bf8363488c4bf119a7df67dc4e858108bcf62c 2135 2134 2009-09-14T22:52:44Z Mcd1992 51 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> Also if you are using the osos.fw outputted by extract2g in iLoader you need to do the following to it first: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Then put osos.out into /iLoader/osos.fw ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware fb3bb961acf046ee9cfb617aae46b9823f454794 6 148 2136 2009-09-15T00:26:30Z Dgby714 52 HxD Program Picture 1 wikitext text/x-wiki HxD Program Picture 1 671ffbba76950568c5e9f461715d007c1304387a 6 149 2137 2009-09-15T00:33:57Z Dgby714 52 HxD Picture 2 wikitext text/x-wiki HxD Picture 2 3d0da2faa036f3beb71b168f2663b4bee9a2fc63 6 150 2138 2009-09-15T00:37:23Z Dgby714 52 HxD Picture 3 wikitext text/x-wiki HxD Picture 3 208d59c3d05189631bf274380e44aa431c8baf5d 6 151 2139 2009-09-15T00:38:47Z Dgby714 52 HxD Picture 4 wikitext text/x-wiki HxD Picture 4 d9653c26c6e0dec1fe671328660e36e87a98b45b 6 152 2140 2009-09-15T00:40:05Z Dgby714 52 HxD Picture 5 wikitext text/x-wiki HxD Picture 5 de9ac10edcc45aaca57fda2b028c8754d9ad9b64 6 154 2152 2009-09-15T05:11:53Z Pat loonytoon 49 Basic skin for ILoader wikitext text/x-wiki Basic skin for ILoader 0b63c8b36f8913ca30e0f0496df497aa9cffdf33 2153 2152 2009-09-15T05:13:16Z Pat loonytoon 49 uploaded a new version of "[[File:Basic.jpg]]": Basic skin for ILoader wikitext text/x-wiki Basic skin for ILoader 0b63c8b36f8913ca30e0f0496df497aa9cffdf33 6 155 2154 2009-09-15T05:13:58Z Pat loonytoon 49 Beach skin for ILoader wikitext text/x-wiki Beach skin for ILoader fa440d3be5364f1c71216f3110ccc111f59567db 6 158 2165 2009-09-15T20:21:44Z Gman777 54 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 146 2167 2164 2009-09-16T00:22:10Z TheSeven 13 wikitext text/x-wiki [[File:iloader.png|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. If someone wants to make an automated installer for this, either on Linux, Mac, or Windows, feel free. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). f64c24f102e83a4a19cc71edbe3a08bf1178e731 2172 2167 2009-09-16T02:44:09Z Dgby714 52 wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. If someone wants to make an automated installer for this, either on Linux, Mac, or Windows, feel free. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). 5ffa5a8667a57aaed130ac9424fa86df1ceb2f56 2174 2172 2009-09-16T11:11:45Z TheSeven 13 /* Installation */ wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. An ipodpatcher-based automated installer is currently being worked on. If you don't feel comfortable with these instructions or the issues mentioned below, we would suggest waiting for it. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). 35c31fd16a930be31feaeb1dcd364007fa7ad611 2190 2174 2009-09-21T01:15:52Z Cmwslw 1 wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. (remove the first 2048 bytes) Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. An ipodpatcher-based automated installer is currently being worked on. If you don't feel comfortable with these instructions or the issues mentioned below, we would suggest waiting for it. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). 3f3bd09a5e9581c77df78954c4d36aeab39e6ba0 2192 2190 2009-09-21T01:39:02Z Mataamad 59 wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. (remove the first 2048 bytes). See [[Extracting firmware]] for more information. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. An ipodpatcher-based automated installer is currently being worked on. If you don't feel comfortable with these instructions or the issues mentioned below, we would suggest waiting for it. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). 5121f467e73721a284591fc0e8b80dee4fa5bc9c 2232 2192 2009-09-27T17:49:38Z Gman777 54 /* Installation */ wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware (/iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/iLoader/rockbox.bin) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. (remove the first 2048 bytes). See [[Extracting firmware]] for more information. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. An ipodpatcher-based automated installer is currently being worked on. If you don't feel comfortable with these instructions or the issues mentioned below, we would suggest waiting for it. For more in-depth instructions, see [[ILoader Howto]]. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). cc25fdf1b3f3075a5c10bdcfd6a392321d10bfff 6 159 2169 2009-09-16T00:26:40Z TheSeven 13 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 160 2170 2009-09-16T01:37:09Z Dgby714 52 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2171 2170 2009-09-16T01:38:56Z Dgby714 52 uploaded a new version of "[[File:ILoader-Real.jpg]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 50 2173 2104 2009-09-16T03:15:18Z Cmwslw 1 wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''NOTICE: Anyone who has landed here thinking that Linux is already running on the new Nanos, this is not yet the case! Some ignorant Hackaday author has started this rumor.''' </div> [[File:ILoader-Real.jpg|150px|thumb|right|Untethered multi-bootloader]] This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net]. [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] is the channel for developers. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here] (password protected). Info about this wiki can be found at the [[Linux4Nano_Wiki:About|About]] page. '''Status at a glance: We have a working [[iLoader|bootloader for Nano 2G]]!''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 243d2e5884c540988c01ff0ecce14e0f8a3a0095 2175 2173 2009-09-16T11:53:09Z Cmwslw 1 wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''NOTICE: Anyone who has landed here thinking that Linux is already running on the new Nanos, this is not yet the case! Some ignorant Hackaday author has started this rumor.''' </div> [[File:ILoader-Real.jpg|150px|thumb|right|Untethered multi-bootloader]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. '''Status at a glance: We have a working [[iLoader|bootloader for Nano 2G]]!''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] dadcc5a358428e265ca31dfa02a30679ffc987a9 2176 2175 2009-09-16T11:53:28Z Cmwslw 1 wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|Untethered multi-bootloader]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. '''Status at a glance: We have a working [[iLoader|bootloader for Nano 2G]]!''' > follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 66d31879964b04e2c24202a45a66aaf33f06325b 2177 2176 2009-09-16T11:55:38Z Cmwslw 1 wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|Untethered multi-bootloader]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We have a working [[iLoader|bootloader for Nano 2G]]!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] bc7b648df7980563f91bfde848352d9e5a53939f 2178 2177 2009-09-17T02:56:25Z Cmwslw 1 wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|Untethered multi-bootloader]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano.''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] b8e45a5cf3b29780e22f00f1078614f5d1b70bee 2182 2178 2009-09-17T10:38:01Z Cmwslw 1 wikitext text/x-wiki [[File:Rockbox.jpg|150px|thumb|right|Untethered multi-bootloader]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano.''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] ddbf35c82bc3862a4a6d482a64a01b858806ae8c 2183 2182 2009-09-17T10:44:04Z Cmwslw 1 wikitext text/x-wiki [[File:Rockbox.jpg|150px|thumb|right|Untethered multi-bootloader]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. (as pictured to the right)''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] b573a744d3293f77b778d6f47b2e49c24bb0947a 2184 2183 2009-09-17T21:12:50Z TheSeven 13 wikitext text/x-wiki [[File:Rockbox.jpg|150px|thumb|right|Very early rockbox build]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. (as pictured to the right)''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] db246ae2e37e23cf9fbf712d1a142612d5c72156 2206 2184 2009-09-22T19:03:13Z Cmwslw 1 wikitext text/x-wiki [[File:Rockbox.jpg|150px|thumb|right|Very early rockbox build]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. You will be '''immediately kicked''' if you ask support questions anywhere else. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. (as pictured to the right)''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] f08bb8fa7287f510648fb6850a6641b215cdf61b 0 121 2179 2133 2009-09-17T05:40:02Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 14, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader !! Rockbox !! Linux |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work'''</span> | <span style="color:red">'''No'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 3c940faa0ad4ca78b8a0fa59924864dd984c36ce 2180 2179 2009-09-17T05:40:13Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 14, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader !! Rockbox !! Linux |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work'''</span> | <span style="color:red">'''No'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 1b77caffa3e40287986b803111dff3d2af6a68f8 2187 2180 2009-09-18T23:59:26Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 14, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 3e7a375160f8b5aab0ba47890a014c443605261a 2212 2187 2009-09-23T21:33:09Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 14, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work''', see [http://l4n.clustur.com/index.php/Status here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 6a04c89c58edfe14824ed84368e5c5deb0389b24 2216 2212 2009-09-24T10:55:19Z Linuxstb 19 Fix URL to Rockbox status page wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 14, iPodLinux has not made any attempts to add support to any devices. {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! iBugger !! UART !! USB !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} faa53356a3771625f5316dc6371cfa0e3e6e7a5c 2238 2216 2009-09-30T12:11:33Z Cmwslw 1 organized tables wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 14, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} e41792daecb4d8505dbfe9a71b9288211cabe660 2239 2238 2009-09-30T12:19:05Z Cmwslw 1 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution (via notes) !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''FTL still Read-Only'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 674d76c5a55c72d511397c08194ab547fd549d4b 2240 2239 2009-09-30T19:23:00Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution (via notes) !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''needs thorough testing'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 437db22eb746f5c08af4a7ca6038145467d173b7 6 161 2181 2009-09-17T10:37:15Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 122 2186 2128 2009-09-18T11:55:49Z Cmwslw 1 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/?p=29 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} c0ea2c8ee66089914f92ffb3a302876215644146 2196 2186 2009-09-22T06:27:45Z Farthen 28 Added link to firmware downgrading guide wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/?p=29 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 0cb8d767a59eab3078ee6e7c350b842df114a7f4 2207 2196 2009-09-22T19:12:41Z Cmwslw 1 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} cd9f7ea24a8ee8a257f504aab7b72145960edfd6 2208 2207 2009-09-22T19:15:27Z Cmwslw 1 /* Known problems */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} 705e43f2b60a37b15e31386ce09297055b4bf995 2226 2208 2009-09-25T17:10:37Z D00p3k 62 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] c27850a7bf1025706a0c81ce1d966c17a0ad084d 6 162 2188 2009-09-20T23:20:14Z Pat loonytoon 49 Maryo theme by patloonytoon wikitext text/x-wiki Maryo theme by patloonytoon 45dde595e192e564c17880eae4eaecdd0d3209d3 0 57 2191 2135 2009-09-21T01:36:30Z Mataamad 59 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> Also if you are using the osos.fw outputted by extract2g in iLoader you need to do the following to it first: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Then put osos.out into /iLoader/osos.fw Or alternatively, under windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0 to 7FF, then delete this region and save. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 0e82d12dcfd2c973d131c4380a82058bd5612681 0 163 2194 2009-09-22T06:24:17Z Farthen 28 Simple guide to firmware downgrading, missing link wikitext text/x-wiki This is a simple guide to Firmware downgrading with iTunes 8 and 9 without loosing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== Later I'll post a link to the actual .ipsw file for the 4g nano, don't have it at the moment. c469a0746cf3ade1f9bdaee08902c38deb60a3e9 2209 2194 2009-09-22T19:16:41Z Cmwslw 1 moved [[Firmware Downgrading]] to [[Firmware downgrading]] wikitext text/x-wiki This is a simple guide to Firmware downgrading with iTunes 8 and 9 without loosing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== Later I'll post a link to the actual .ipsw file for the 4g nano, don't have it at the moment. c469a0746cf3ade1f9bdaee08902c38deb60a3e9 2211 2209 2009-09-22T19:18:35Z Cmwslw 1 wikitext text/x-wiki This is a simple guide to Firmware downgrading with iTunes 8 and 9 without loosing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== The 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] for the instructions above. 7f7def32f5a1f1da82bfe1bb985b7170d2475c40 2242 2211 2009-10-01T05:40:55Z Farthen 28 You don't need the signature file when downgrading using this method wikitext text/x-wiki This is a simple guide to Firmware downgrading with iTunes 8 and 9 without loosing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== The 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] for the instructions above. ea68166365810ecc96fd116468616a93438c2af0 0 130 2197 2079 2009-09-22T11:00:32Z Tucenaber 38 /* Nanotrons */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg]] This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber rings each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior 0dccf923ef2f63fd68b52c2e98799ff27f459613 2199 2197 2009-09-22T11:14:06Z Tucenaber 38 /* tucenaber */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg]] [[File:Nanotron3g2.jpg]] [[File:Nanotron3g3.jpg]] [[File:Nanotron3g4.jpg]] This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber rings each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior 0b360a916a1ad501071adf2bd25877392690d1bd 2204 2199 2009-09-22T12:06:24Z Tucenaber 38 /* tucenaber */ wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg]] [[File:Nanotron3g2.jpg]] [[File:Nanotron3g3.jpg]] [[File:Nanotron3g4.jpg]] This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber ring each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of cmwslw's code. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior ef052b54727831a0c3002c6abf53e380b7bcb929 2205 2204 2009-09-22T18:43:08Z Cmwslw 1 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber ring each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of cmwslw's code. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior fb521ec8ef848174aee737ae5f191df8a1633173 6 165 2198 2009-09-22T11:01:19Z Tucenaber 38 Nanotron 3g wikitext text/x-wiki Nanotron 3g a94e11df908f60d67b25f3d0298ad97ae47a6084 6 166 2201 2009-09-22T11:20:08Z Tucenaber 38 Nanotron 3g wikitext text/x-wiki Nanotron 3g a94e11df908f60d67b25f3d0298ad97ae47a6084 6 167 2202 2009-09-22T11:25:17Z Tucenaber 38 Nanotron 3g wikitext text/x-wiki Nanotron 3g a94e11df908f60d67b25f3d0298ad97ae47a6084 6 168 2203 2009-09-22T11:29:14Z Tucenaber 38 Nanotron 3g wikitext text/x-wiki Nanotron 3g a94e11df908f60d67b25f3d0298ad97ae47a6084 1 76 2214 1610 2009-09-23T21:44:03Z TheSeven 13 wikitext text/x-wiki you need access to the aes engine. what happens is the bootloader has a "salt", if that is the correct word for it, as I am not a crypto expert, and that is encrypted with the system gid key. the result of that was used as the key, with an IV of 0, to decrypt the firmware files. now, the thing is, this gid key is never loaded into ram, so any time you need to need to utilize it, you need direct access to the aes engine. this means, basically, you need to be able to write to the registers directly, no kernel or anything to get in the way. hopefully this helps, that is how it worked for the iPod touch and iPhone before Apple came out with the new KBAG method, so it should probably give you a push in the right direction. I have no idea how the nano does stuff, so I don't know how feasible this would actually be for you all. [[User:Chronic|Chronic]] 01:50, 26 March 2009 (UTC) The nano in fact uses the GID key directly on the data. --[[User:TheSeven|TheSeven]] 21:44, 23 September 2009 (UTC) == DSP == Can DSP be involved in encrypt-decrypt process? Newer chips sometimes include embedded encryption unit, but n2g's CPU does not - so why dont use DSP. Need more info on "CalmRisc16+MAC2424". The nano in fact has a crypto coprocessor, which is pretty much 8900-like. --[[User:TheSeven|TheSeven]] 21:44, 23 September 2009 (UTC) bd4e19e31095d686be94f6ef4241305ccd4f91a3 0 116 2215 2123 2009-09-24T10:31:20Z Linuxstb 19 wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger ===Rockbox bootloader=== [[File:Img9088.jpg|150px|thumb|right|2G Rockbox bootloader]] Rockbox developers have started work on porting Rockbox to the Nano2G and it is currently possible to run a Rockbox bootloader (still in a very early state) inside iBugger (picture shown to the right). As iBugger needs a connection to a PC, Rockbox will be booted through [[iLoader]] or a Rockbox bootloader written to the Nano2G's firmware partition. 26102a240baf7e762a25500b35984f4ff34dea88 0 54 2234 1831 2009-09-28T14:07:23Z TheSeven 13 /* 2G Nano */ Removed some clearly wrong crap. wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 44f4c3ef65d5ceb1872ea3fe7b4a925d46eefab8 2 125 2244 1918 2009-10-01T13:07:52Z Farthen 28 wikitext text/x-wiki Just a summary of me: No programming experience (yet) I have a 4g nano, downgraded to 1.0.3 to help you exploiting the notes ;-) Found out about this project at June 2009. If you have questions to me, just ask on the [[User_talk:Farthen|talk page]], on irc or through the mailing list. I'm from Germany and speak German, English and some French. d708601505dfbd9cf13c03972417c06695a293a5 6 161 2251 2181 2009-10-07T03:58:57Z Dgby714 52 uploaded a new version of "[[File:Rockbox.jpg]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 121 2257 2240 2009-10-07T13:19:04Z Revolution 63 /* Basic drivers or steps: */ wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution (via notes) !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''contains some bugs. But works most of the time. Check out []iLoader howto]]'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 2745dc468fee5067fbb696e4fdd4d912b7582345 2258 2257 2009-10-07T13:19:20Z Revolution 63 /* Basic drivers or steps: */ wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution (via notes) !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''contains some bugs. But works most of the time. Check out [[iLoader howto]]'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 318390c1ea24ce96a1cd71db34716490ee3905f3 2259 2258 2009-10-07T13:19:56Z Revolution 63 fixed link wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution (via notes) !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''contains some bugs. But works most of the time. Check out [[ILoader Howto]]'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''Unnecessary?'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} af9c9628b07665ebf906109f28fc0bb52a0d9c99 2272 2259 2009-10-09T06:08:25Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution (via notes) !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''contains some bugs. But works most of the time. Check out [[ILoader Howto]]'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Early work''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} d1b44ece998f9948b121529b9733170f3840e6e9 2339 2272 2009-10-26T22:30:27Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution (via notes) !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} dd966a47e1f9d8a4b073c1edffea7c1b28012ac5 2340 2339 2009-10-26T22:30:53Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution (via notes) !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 2af6bd9b77ef35b658c4800d51979a8bcb7bf72d 2341 2340 2009-10-28T01:15:41Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! Execution (via notes) !! UART !! USB !! iBugger !! LCD !! Piezo !! Clickwheel !! Audio !! NAND/Hard Drive !! Power management !! Firmware encryption |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:gray">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:gray">'''In progress'''</span> | <span style="color:gray">'''buggy, needs work'''</span> | <span style="color:gray">'''very limited functionality'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''Alternative needed'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} d84bdd901b01384904e3a4540e673887ba805ce1 2342 2341 2009-10-29T12:08:14Z TheSeven 13 Flip that ever-growing table wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Buffer not found'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:gray">'''No core yet'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} f112cd74508dca19388caaab55cf0eba9cb0dffe 2344 2342 2009-10-29T14:51:35Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Buffer not found'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:gray">'''No core yet'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 3350c8b4d2babf7433e3cc7a9043636a37e58a6d 2345 2344 2009-11-01T18:36:44Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Buffer not found'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:gray">'''No core yet'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 64ccb66c76766d95c67bc77a9746b70a47b0d79f 2346 2345 2009-11-01T18:37:09Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Buffer not found'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} 332235a5892d88d1220f5ac005d93c0c1931cc09 2349 2346 2009-11-01T20:50:09Z TheSeven 13 argh... wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Buffer not found'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} ab58d53651caaf5361ccb4642f9fa02cbd6f0fef 2352 2349 2009-11-04T20:43:38Z Farthen 28 Added accelerometer, small fixes wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! Bootloader !! Rockbox !! Linux !! Uncap |- | 2G Nano | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> |- | 3G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 4G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 5G Nano | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 1G Classic (aka 6G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 2G Classic (aka 6.5G) | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | 3G Classic | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |} faee3b5741c5f527e8868927799fd7a31d74acfc 2353 2352 2009-11-08T22:12:27Z Cmwslw 1 /* Custom firmware */ wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- cd533223638ddcbb2be7cd2d653f37f40d98c5bf 2358 2353 2009-11-10T14:07:32Z STeeF 88 USB Work in Progress, first sings of live, iBugger & and futher USB work needed wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 5465c5c0f36995c44440b51942192c06a13f4149 2395 2358 2009-12-15T18:45:29Z Cmwslw 1 Unprotected "[[Status]]" wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of September 30, iPodLinux has not made any attempts to add support to any devices. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 5465c5c0f36995c44440b51942192c06a13f4149 0 173 2268 2009-10-07T16:28:27Z Revolution 63 Made a MPEG How-to Please expand and fix my horrible quality of writing. wikitext text/x-wiki Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First do everything in this article ([[ILoader Howto]])including installing rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: "ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename]" (without quotes) Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: "ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg" (without quotes). Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. (pressing the middle button in iLoader. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename]" (without quotes) Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: "ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg" (without quotes). ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. 047bade92a307ebbbe08a06497012c1cfce248f7 2270 2268 2009-10-07T23:23:46Z Revolution 63 Added some notes wikitext text/x-wiki Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First do everything in this article ([[ILoader Howto]])including installing rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: "ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename]" (without quotes) Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: "ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg" (without quotes). Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. (pressing the middle button in iLoader. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename]" (without quotes) Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: "ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg" (without quotes). ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. == Several Notes == To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view. Your videos might take some time to convert. 71ef6ada711055a3022ef2c0a93219e16aa2e7ae 2309 2270 2009-10-13T15:10:37Z Revolution 63 /* Several Notes */ wikitext text/x-wiki Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First do everything in this article ([[ILoader Howto]])including installing rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: "ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename]" (without quotes) Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: "ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg" (without quotes). Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. (pressing the middle button in iLoader. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename]" (without quotes) Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: "ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg" (without quotes). ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. == Several Notes == To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view. Your videos might take some time to convert. f599268aeca31fc09b8b04b42f7993664f3084b1 2385 2309 2009-12-13T22:13:43Z Senkus 115 wikitext text/x-wiki Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First do everything in this article ([[ILoader Howto]])including installing rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. (pressing the middle button in iLoader. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. == Several Notes == To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view. Your videos might take some time to convert. a9cf0e3944ce9feed0a38199fd3770c4f73e7dc2 0 122 2282 2226 2009-10-09T23:14:52Z Cmwslw 1 /* Setup */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == '''README''': The sweepfreeze.7z archive was actually an archive with delaycrash payloads (it accidentally got renamed). It has been taken down until a real sweepfreeze.7z is made. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] 49a30fdc8b5f48c8d20cdbc2808cbdf5d6b66901 2283 2282 2009-10-09T23:19:43Z Cmwslw 1 /* Setup */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == '''README''': The sweepfreeze.7z archive was actually an archive with delaycrash payloads (it accidentally got renamed). It has been taken down until a real sweepfreeze.7z is made. I'd like to apologize to all the people that helped out bruteforcing, because the wrong archive would have made a right address look like a wrong one. But even still, it was a very slim chance that the ranges searched would have turned up anything. OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] f3ef713cd261b6daf91dd079d9173f3219ab6a7d 2284 2283 2009-10-10T01:27:55Z Cmwslw 1 /* Setup */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] c27850a7bf1025706a0c81ce1d966c17a0ad084d 2397 2284 2009-12-15T18:48:58Z Cmwslw 1 Unprotected "[[Address bruteforcing]]" wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] c27850a7bf1025706a0c81ce1d966c17a0ad084d 6 174 2331 2009-10-17T02:40:29Z Plasmapunk 72 Skin for iLoader wikitext text/x-wiki Skin for iLoader 309d2565af64b563d701bc4bf447d3bdce5774e7 6 175 2335 2009-10-22T01:23:50Z Plasmapunk 72 Name says it all. wikitext text/x-wiki Name says it all. 8537b79b1b4de70b86d8fb5db75f91369075389e 6 176 2347 2009-11-01T19:01:12Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 50 2348 2206 2009-11-01T19:03:56Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. You will be '''immediately kicked''' if you ask support questions anywhere else. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''iBugger core v0.1 successfully running on 4G Nano! (as pictured to the right), also 2G Rockbox is for the most part stable''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] aeb4cc732f7533c35e1e1071930993c1411ed535 2394 2348 2009-12-15T18:45:06Z Cmwslw 1 Changed protection level for "[[Main Page]]" ([edit=autoconfirmed] (indefinite) [move=autoconfirmed] (indefinite)) wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. You will be '''immediately kicked''' if you ask support questions anywhere else. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''iBugger core v0.1 successfully running on 4G Nano! (as pictured to the right), also 2G Rockbox is for the most part stable''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] aeb4cc732f7533c35e1e1071930993c1411ed535 2415 2394 2009-12-21T16:29:15Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano @ irc.freenode.net] for questions and comments. You will be '''immediately kicked''' if you ask support questions anywhere else. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''iBugger core v0.1 successfully running on 4G Nano! (as pictured to the right), also 2G Rockbox is for the most part stable''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 6bc96701a121d290216b970545c70757bdb7924b 0 111 2355 1758 2009-11-10T12:01:51Z Revolution 63 Redirected page to [[Main Page]] wikitext text/x-wiki #REDIRECT [[Main Page]] c222ad63e9e6a1e286ff83e0861447ce17bf759f 0 186 2372 2009-11-30T22:21:29Z TheSeven 13 Created page with ' the whole firmware update is done through a custom 0xc6 scsi command first, the update is initiated by a c6 96 00 00 00 00 00 00 00 00 packet, that will get a 4-byte response...' wikitext text/x-wiki the whole firmware update is done through a custom 0xc6 scsi command first, the update is initiated by a c6 96 00 00 00 00 00 00 00 00 packet, that will get a 4-byte response (meaning unknown) maybe the count of update log entries? then the last update log page (4KB) is read using a c6 97 00 01 00 00 00 00 00 00 packet then a new log page (4KB) is written using a c6 98 00 01 00 00 00 00 00 00 packet then there is a c6 94 00 02 80 00 00 00 00 00 00 00 00 00 00 00 packet, no idea what it's good for, no data stage the next stage is uploading the "N58s.bootloader.release.rb3" file, using a c6 90 <type> <size> 00 00 00 00 00 00 00 00 00 packet <type> is 00 for the MSE, and 01 for the RB3 file, size is the big endian 32bit file size the transfer itself is done using c6 91 00 10 00 00 00 00 00 00 packets, each (besides the last one, which is trimmed to the number of bytes left to be transferred) followed by 5 data stages, being 16384, 3584, 16384, 16384 and 12800 bytes in size I can't think of any reason for this weirds splitting, maybe it isn't even neccessary and just an itunes weirdness then the transfer is closed using a c6 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 packet the next step is uploadinf "Firmware.MSE" the same way finally a c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 is sent (no data stage), and another log entry is written that's the whole deal. d128b44bc8c52090ba4a559a2116cae149c68fff 2373 2372 2009-11-30T22:21:56Z TheSeven 13 wikitext text/x-wiki the whole firmware update is done through a custom 0xc6 scsi command first, the update is initiated by a c6 96 00 00 00 00 00 00 00 00 packet, that will get a 4-byte response (meaning unknown) maybe the count of update log entries? then the last update log page (4KB) is read using a c6 97 00 01 00 00 00 00 00 00 packet then a new log page (4KB) is written using a c6 98 00 01 00 00 00 00 00 00 packet then there is a c6 94 00 02 80 00 00 00 00 00 00 00 00 00 00 00 packet, no idea what it's good for, no data stage the next stage is uploading the "N58s.bootloader.release.rb3" file, using a c6 90 <type> <size> 00 00 00 00 00 00 00 00 00 packet <type> is 00 for the MSE, and 01 for the RB3 file, size is the big endian 32bit file size the transfer itself is done using c6 91 00 10 00 00 00 00 00 00 packets, each (besides the last one, which is trimmed to the number of bytes left to be transferred) followed by 5 data stages, being 16384, 3584, 16384, 16384 and 12800 bytes in size I can't think of any reason for this weirds splitting, maybe it isn't even neccessary and just an itunes weirdness then the transfer is closed using a c6 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 packet the next step is uploadinf "Firmware.MSE" the same way finally a c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 is sent (no data stage), and another log entry is written that's the whole deal. -- [[User:TheSeven|TheSeven]] 22:21, 30 November 2009 (UTC) 1d8a8f40d6f19ed3f81cae3559a145857cb6390b 2381 2373 2009-12-10T20:50:21Z Polobricolo 61 Explained how to send this custom command to a nano 4g with linux wikitext text/x-wiki the whole firmware update is done through a custom 0xc6 scsi command first, the update is initiated by a c6 96 00 00 00 00 00 00 00 00 packet, that will get a 4-byte response (meaning unknown) maybe the count of update log entries? then the last update log page (4KB) is read using a c6 97 00 01 00 00 00 00 00 00 packet then a new log page (4KB) is written using a c6 98 00 01 00 00 00 00 00 00 packet then there is a c6 94 00 02 80 00 00 00 00 00 00 00 00 00 00 00 packet, no idea what it's good for, no data stage the next stage is uploading the "N58s.bootloader.release.rb3" file, using a c6 90 <type> <size> 00 00 00 00 00 00 00 00 00 packet <type> is 00 for the MSE, and 01 for the RB3 file, size is the big endian 32bit file size the transfer itself is done using c6 91 00 10 00 00 00 00 00 00 packets, each (besides the last one, which is trimmed to the number of bytes left to be transferred) followed by 5 data stages, being 16384, 3584, 16384, 16384 and 12800 bytes in size I can't think of any reason for this weirds splitting, maybe it isn't even neccessary and just an itunes weirdness then the transfer is closed using a c6 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 packet the next step is uploadinf "Firmware.MSE" the same way finally a c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 is sent (no data stage), and another log entry is written that's the whole deal. -- [[User:TheSeven|TheSeven]] 22:21, 30 November 2009 (UTC) To send these commands on linux you need the scsirastools (http://scsirastools.sourceforge.net/). On Debian you have to build it youself using configure, make, make install. Once you built it run as root: sgdiag -I You will get a prompt. First type c to send a custom command, then the number of the device (the list is just above). The CDB length is 10, then the bytes are c6 ... (eg c6 97 00 01 00 00 00 00 00 00 for the first one). Response data length is 4 byte for the first command, 0 for the ones with no data stage or for uploading firmware or log sending, 4096 for log reading). The Output data length is the size of data sent to the ipod (excluding the command). That's it. If the device is an ipod you should get a response, if it isn't you will get an error message. 18fbfd6931981b97fc5da1cae5ae0c41a999709e 0 146 2379 2232 2009-12-07T01:21:01Z Linuxstb 19 /* Usage */ wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware ("osbk" image created by ipodpatcher, /iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/.rockbox/rockbox.ipod) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. (remove the first 2048 bytes). See [[Extracting firmware]] for more information. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "rockbox.bin" or "custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. An ipodpatcher-based automated installer is currently being worked on. If you don't feel comfortable with these instructions or the issues mentioned below, we would suggest waiting for it. For more in-depth instructions, see [[ILoader Howto]]. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). 1ce1852b5c721f9374c0b65a4b9f0440a32d19d6 2380 2379 2009-12-07T01:22:13Z Linuxstb 19 /* Installation */ wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware ("osbk" image created by ipodpatcher, /iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/.rockbox/rockbox.ipod) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. (remove the first 2048 bytes). See [[Extracting firmware]] for more information. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "/.rockbox/rockbox.ipod" or "/iloader/custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. An ipodpatcher-based automated installer is currently being worked on. If you don't feel comfortable with these instructions or the issues mentioned below, we would suggest waiting for it. For more in-depth instructions, see [[ILoader Howto]]. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes] or at [http://l4n.fergofrog.com/ http://l4n.fergofrog.com/] (alpha at the moment, will receive heavy development in the next three weeks). 27c06050729e3574ac7006ee90c12612869f7325 0 98 2387 1748 2009-12-14T02:28:20Z 98.249.113.152 0 wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copiues of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == To be documented. 5361e4399335de0cd8210fd8c082aab9cad9e71d 0 130 2391 2205 2009-12-15T18:43:40Z Cmwslw 1 Protected "[[Nanotron 3000]]" ([edit=autoconfirmed] (indefinite) [move=autoconfirmed] (indefinite)) wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber ring each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of cmwslw's code. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior fb521ec8ef848174aee737ae5f191df8a1633173 2392 2391 2009-12-15T18:43:51Z Cmwslw 1 Unprotected "[[Nanotron 3000]]" wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber ring each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of cmwslw's code. == Technical details for 4G == *Time to hold down menu and center buttons to restart: exactly 5 seconds === Cable disconnected === *Time to reboot to main menu: 17.5 seconds *Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it === Cable connected === *Time to reboot to main menu: 35 seconds *Time to reboot to disk mode: 11 seconds For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable. Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior fb521ec8ef848174aee737ae5f191df8a1633173 2413 2392 2009-12-16T22:12:44Z Kartoshka 117 wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber ring each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of cmwslw's code. == Timings for resetting and rebooting iPods == {| border="1" |- ! Action ! Nano 4G ! Classic 2G |- | Reset | 5 seconds | 5 seconds |- | Reboot to main menu (cable disconnected) | 17.5 seconds | 28 seconds |- | Reboot to main menu (cable connected) | 35 seconds | 28 seconds |- | Reboot to disk mode (cable disconnected) | 2-3 seconds | 4-5 seconds |- | Reboot to disk mode (cable connected) | 11 seconds | 4-5 seconds |- |} Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior e10780d177fca0335b147724cad4bfeca3a0f898 0 65 2393 1852 2009-12-15T18:44:33Z Cmwslw 1 Unprotected "[[Chronology]]" wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodclassic 6G (Classic 1G)] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB 6.5G (Classic 2G)] | 2008-09 | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 736417f6a3d740a41eb376ff454182e148c34146 0 53 2399 1636 2009-12-15T18:49:43Z Cmwslw 1 Unprotected "[[Dumping firmware]]" wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. A key could be hidden in here. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 5461870fc5a50c4cfb2bd202130d1c87f09f3bb7 0 57 2400 2191 2009-12-15T18:49:59Z Cmwslw 1 Unprotected "[[Extracting firmware]]" wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> Also if you are using the osos.fw outputted by extract2g in iLoader you need to do the following to it first: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Then put osos.out into /iLoader/osos.fw Or alternatively, under windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0 to 7FF, then delete this region and save. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 0e82d12dcfd2c973d131c4380a82058bd5612681 0 56 2404 1653 2009-12-15T18:50:54Z Cmwslw 1 Unprotected "[[Firmware]]" wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware partition of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the filesystem of the iPod. It is unencrypted and of not much use to this project. ==Nano 4g== Nano 4g dont have ''aupd'' partition. Instead, seven new partitions added - appl, chrg, bdhw, diag, bdsw, disk, lbat. Disk and diag partitions possibly contain Disk and Diagnostic modes. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 9765b4f5a0a9ae60d2f0a29ba21880406f916de1 0 66 2407 1641 2009-12-15T18:55:27Z Cmwslw 1 Unprotected "[[Firmware encryption]]" wikitext text/x-wiki Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ 14697d64b7c4ce99fb6d6ef271a6ccdbed32079c 0 54 2408 2234 2009-12-15T18:55:58Z Cmwslw 1 Unprotected "[[Hardware]]" wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 44f4c3ef65d5ceb1872ea3fe7b4a925d46eefab8 0 52 2411 1920 2009-12-15T18:56:58Z Cmwslw 1 Unprotected "[[Modes]]" wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. <pre> Nano 4G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. Nano 3G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1262 Apple, Inc. </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. More verbose output from lsusb run on a Nano 3G in DFU mode : <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple, Inc. idProduct 0x1223 bcdDevice 0.01 iManufacturer 1 Apple Computer, Inc. iProduct 2 USB DFU Device iSerial 3 87020000000001 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 2 iInterface 0 ** UNRECOGNIZED: 09 21 03 0a 00 00 08 00 01 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) </pre> ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 8929357c3006fcd70405a9e1f3373efbd8849c9e 0 191 2417 2009-12-26T20:18:11Z 95.112.188.133 0 Created page with '(State: When taking over from norboot, IIRC, needs verification) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a pa...' wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USBPHY? (Datasheet) |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2C (Datasheet, verified) |- | 05 | 0 | I2S (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | Unknown |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | |- | 07 | 0 | Could be the LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Unknown, but needs to be powered on |} e1dc63f62b760e9417b1443819318ca7c3e10ef3 2418 2417 2009-12-26T20:22:11Z 95.112.188.133 0 wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USBPHY? (Datasheet) |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2C (Datasheet, verified) |- | 05 | 0 | I2S (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | Unknown |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | Could be the LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Unknown, but needs to be powered on |} 3573243d0b87fb2c697aebf5e168ec939129270e 0 50 2420 2415 2009-12-30T18:15:22Z N00b81 33 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano #linux4nano-dev @ irc.freenode.net] for development discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''iBugger core v0.1 successfully running on 4G Nano! (as pictured to the right), also 2G Rockbox is for the most part stable''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 717fabe1ff309ccea8bac0689b687a14449c11bd 2421 2420 2009-12-30T18:16:43Z N00b81 33 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''iBugger core v0.1 successfully running on 4G Nano! (as pictured to the right), also 2G Rockbox is for the most part stable''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] e631d52066dc3ced3291ec39e784a6e3765e554f 2422 2421 2009-12-30T18:17:06Z N00b81 33 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''iBugger core v0.1 successfully running on 4G Nano! (as pictured to the right), also 2G Rockbox is for the most part stable''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 2999d4f26e470e6390c535c672167e862f88869c 2452 2422 2010-02-14T11:35:09Z TheSeven 13 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''Nano 4G bootrom has been dumped, looking for an exploit. iBugger core v0.1 successfully running on 4G Nano! (as pictured to the right), also 2G Rockbox is for the most part stable''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] dc2cff00aa891a4dbf4c8290b75fa124c47a4cb8 2454 2452 2010-02-15T14:11:34Z TheSeven 13 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''Nano 4G firmware has been decrypted, bootrom-level unsigned code execution exploit has been found. iBugger core v0.1 successfully running on 4G Nano! (as pictured to the right), also 2G Rockbox is for the most part stable''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 2514a18ce7d810231667d8bd8eddf7638ed6f4ef 2458 2454 2010-02-23T13:36:28Z TheSeven 13 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] d43cfedd2a7e0feb8e65be871746ef187c995d9a 2459 2458 2010-02-23T13:56:59Z TheSeven 13 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 73e5aecb91882bfa856f331a531a27033ffe508e 2494 2459 2010-03-07T03:15:55Z TheSeven 13 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs alpha-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 3e338e1f57c9957edd6b8035e9af27b0a39f30e0 0 122 2425 2397 2010-01-19T21:08:09Z KAB123 119 Adding 2G Classic results wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. } ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] 179b8f28611678a51cb28517926efc5d38992c19 2426 2425 2010-01-19T21:09:13Z KAB123 119 broke table. fixing wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] f1fc898cf6c43aea72a2d7157b7ade790dca3d38 2429 2426 2010-01-27T04:44:23Z JoeWheeler 120 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] c0e7c3bd95949150ca3d8c5305af6ee9c106ac9d 2432 2429 2010-01-28T17:29:56Z Bogdan 121 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |- | bogdan | 3G Nano | 1.1.3 | Windows | a08100a04.htm | a08101804.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] 545b140d1458a0b28f7963a2e8683c3949002f0c 2434 2432 2010-01-30T16:17:51Z Bogdan 121 /* Table of reserved or tested files */ wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] c0e7c3bd95949150ca3d8c5305af6ee9c106ac9d 2462 2434 2010-02-24T14:36:46Z 92.116.10.174 0 wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. Done for 3G as well through an old iphone exploit on a bootrom vulnerbility The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] f174b5bd5188f8459005b20a70e9e12251e3ac5d 0 191 2427 2418 2010-01-24T17:17:42Z 95.112.137.220 0 wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2C (Datasheet, verified) |- | 05 | 0 | I2S (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | Could be the LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Unknown, but needs to be powered on |} ff53d9720637a594139a9e83ad33871d5b4ba890 2428 2427 2010-01-24T22:49:19Z 95.112.137.220 0 wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | Could be the LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Unknown, but needs to be powered on |} f4218e76f8c8eb33903cee6f530296fff78b4840 2439 2428 2010-02-08T14:00:35Z 95.112.167.255 0 wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | Could be the LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Clickwheel? |} 1456b5b801258b020b44bccfe2d5ea466f5cc01d 2440 2439 2010-02-08T14:01:36Z 95.112.167.255 0 wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification. Beware: 1 = Masked, 0 = Running!) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | Could be the LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Clickwheel? |} 93d5bcf8938321c80db3a2f3639edd5a38caf473 2441 2440 2010-02-08T19:53:58Z 95.112.167.255 0 wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification. Beware: 1 = Masked, 0 = Running!) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Clickwheel? |} 3871eee67967e0dc6e293b290f25168f6ce88040 0 192 2435 2010-02-02T21:16:52Z 95.112.189.78 0 Created page with ' static void lcd_send_cmd(uint32_t cmd) __attribute__((naked, noinline)); static void lcd_send_cmd(uint32_t cmd) { (void)cmd; asm volatile( "mov r2, #0x38000...' wikitext text/x-wiki static void lcd_send_cmd(uint32_t cmd) __attribute__((naked, noinline)); static void lcd_send_cmd(uint32_t cmd) { (void)cmd; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "lsc_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne lsc_wait \n\t" "strh r0, [r2,#0x4] \n\t" "mov pc, lr \n\t" ); } static void lcd_7_send_data(uint32_t data) __attribute__((naked, noinline)); static void lcd_7_send_data(uint32_t data) { (void)data; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "and r0, r0, #0xff \n\t" "strh r0, [r2,#0x40] \n\t" "ls7d_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne ls7d_wait \n\t" "mov pc, lr \n\t" ); } static void lcd_delay(uint32_t time) __attribute__((naked, noinline)); static void lcd_delay(uint32_t time) { (void)time; asm volatile( "mov r0, r0,lsl#16 \n\t" "ld_wait: \n\t" "subs r0, r0, #1 \n\t" "bne ld_wait \n\t" "mov pc, lr \n\t" ); } #define LCD_RST_TIME *((volatile uint32_t*)(0x38600024)) #define LCD_DRV_RST *((volatile uint32_t*)(0x38600028)) void main(void) { LCD_RST_TIME = 0x7FFF; LCD_DRV_RST = 0; lcd_delay(1); LCD_DRV_RST = 1; lcd_delay(5); lcd_send_cmd(0x01); lcd_7_send_data(0x00); lcd_delay(10); lcd_send_cmd(0xB1); lcd_7_send_data(0x16); lcd_7_send_data(0x03); lcd_send_cmd(0xB2); lcd_7_send_data(0x17); lcd_7_send_data(0x03); lcd_send_cmd(0xB4); lcd_7_send_data(0x00); lcd_send_cmd(0xB6); lcd_7_send_data(0x01); lcd_send_cmd(0xB7); lcd_7_send_data(0x00); lcd_7_send_data(0x00); lcd_7_send_data(0x02); lcd_7_send_data(0x00); lcd_7_send_data(0x06); lcd_7_send_data(0x26); lcd_7_send_data(0x2D); lcd_7_send_data(0x27); lcd_7_send_data(0x55); lcd_7_send_data(0x27); lcd_send_cmd(0xB8); lcd_7_send_data(0x10); lcd_send_cmd(0xB9); lcd_7_send_data(0x52); lcd_7_send_data(0x12); lcd_7_send_data(0x03); lcd_send_cmd(0xC0); lcd_7_send_data(0x0A); lcd_7_send_data(0x10); lcd_7_send_data(0x10); lcd_send_cmd(0xC2); lcd_7_send_data(0x14); lcd_7_send_data(0x23); lcd_send_cmd(0xC3); lcd_7_send_data(0x12); lcd_7_send_data(0x23); lcd_send_cmd(0xC6); lcd_7_send_data(0x48); lcd_send_cmd(0xE0); lcd_7_send_data(0x20); lcd_7_send_data(0x71); lcd_7_send_data(0x17); lcd_7_send_data(0x09); lcd_7_send_data(0x70); lcd_7_send_data(0x0C); lcd_7_send_data(0x13); lcd_7_send_data(0x25); lcd_send_cmd(0xE1); lcd_7_send_data(0x37); lcd_7_send_data(0x00); lcd_7_send_data(0x63); lcd_7_send_data(0x11); lcd_7_send_data(0xD9); lcd_7_send_data(0x00); lcd_7_send_data(0x12); lcd_7_send_data(0x01); lcd_send_cmd(0xE2); lcd_7_send_data(0x42); lcd_7_send_data(0x42); lcd_7_send_data(0x60); lcd_7_send_data(0x08); lcd_7_send_data(0xB4); lcd_7_send_data(0x07); lcd_7_send_data(0x0E); lcd_7_send_data(0x90); lcd_send_cmd(0xE3); lcd_7_send_data(0x47); lcd_7_send_data(0x60); lcd_7_send_data(0x66); lcd_7_send_data(0x09); lcd_7_send_data(0x6A); lcd_7_send_data(0x02); lcd_7_send_data(0x0E); lcd_7_send_data(0x09); lcd_send_cmd(0xE4); lcd_7_send_data(0x11); lcd_7_send_data(0x40); lcd_7_send_data(0x03); lcd_7_send_data(0x0A); lcd_7_send_data(0xC1); lcd_7_send_data(0x0D); lcd_7_send_data(0x17); lcd_7_send_data(0x30); lcd_send_cmd(0xE5); lcd_7_send_data(0x00); lcd_7_send_data(0x30); lcd_7_send_data(0x77); lcd_7_send_data(0x1C); lcd_7_send_data(0xFB); lcd_7_send_data(0x00); lcd_7_send_data(0x13); lcd_7_send_data(0x07); lcd_send_cmd(0xE6); lcd_7_send_data(0x01); lcd_send_cmd(0x35); lcd_7_send_data(0x00); lcd_send_cmd(0x36); lcd_7_send_data(0x00); lcd_send_cmd(0xF2); lcd_7_send_data(0x40); lcd_send_cmd(0xF3); lcd_7_send_data(0x50); lcd_send_cmd(0xFB); lcd_7_send_data(0x01); lcd_send_cmd(0x11); lcd_7_send_data(0x00); lcd_delay(200); lcd_send_cmd(0x3A); lcd_7_send_data(0x65); lcd_send_cmd(0x29); lcd_7_send_data(0x00); } f93d7e45db234495009ff15f2a56a9e3d6928790 0 65 2436 2393 2010-02-03T17:45:25Z Farthen 28 Added iPod nano 5G wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodclassic 6G (Classic 1G)] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB 6.5G (Classic 2G)] | 2008-09 | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. cf152b70989446afba4f47784e6cb0351d3b8154 0 98 2437 2387 2010-02-03T21:54:24Z 79.184.86.9 0 /* Link overflow */ wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == To be documented. 6b28837443c2b64dad106224fa134987c23f9d16 4 115 2443 1785 2010-02-12T14:00:47Z Hovard 123 wikitext text/x-wiki This wiki was started in order to collect all information about the linux4nano project, whether that be on the IRC, website, or mailing list, and compile it all into a convenient and organized location. Please feel free to add/edit information (it is a wiki after all). Right now, I (cmwslw) don't really know that much about the project, so my facts may not be that accurate. Please keep in mind that this wiki is for the purpose of cracking the iPod encryption. While we want to find out as much about the iPod as we can, we need to try to keep only information [http://www.research-service.com/custom-essay-writing.html custom essay]relevant to cracking the iPod in the wiki. This keeps the wiki informative, but still concise. Also, when editing the wiki, please be sure to include sources (for plagiarism, but mostly for convenience). Also, '''speculation is good'''! Since this is an ongoing project, some things might not be known for sure. Even still, it is important to put speculation in this wiki to keep ideas flowing. Just make sure you mark speculation by using a question mark or something. b9a1145011dff318eba0afcd3cdf97e71eb487b8 2445 2443 2010-02-13T04:17:09Z 76.127.58.39 0 Undo revision 2443 by [[Special:Contributions/Hovard|Hovard]] ([[User talk:Hovard|Talk]]) wikitext text/x-wiki This wiki was started in order to collect all information about the linux4nano project, whether that be on the IRC, website, or mailing list, and compile it all into a convenient and organized location. Please feel free to add/edit information (it is a wiki after all). Right now, I (cmwslw) don't really know that much about the project, so my facts may not be that accurate. Please keep in mind that this wiki is for the purpose of cracking the iPod encryption. While we want to find out as much about the iPod as we can, we need to try to keep only information relevant to cracking the iPod in the wiki. This keeps the wiki informative, but still concise. Also, when editing the wiki, please be sure to include sources (for plagiarism, but mostly for convenience). Also, '''speculation is good'''! Since this is an ongoing project, some things might not be known for sure. Even still, it is important to put speculation in this wiki to keep ideas flowing. Just make sure you mark speculation by using a question mark or something. 8d195090a0376a1a5e1b010d9af2630d93a7fc0e 0 121 2444 2395 2010-02-13T00:40:58Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of February 13, iPodLinux has not made any attempts to add support to any devices. If you want to see linux running on an iPod Nano 2G or newer, you'll probably have to port it yourself. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- c1f2e4b320ab1cf77c997447d387fa479122742a 2453 2444 2010-02-15T14:10:43Z TheSeven 13 /* Basic drivers or steps: */ wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of February 13, iPodLinux has not made any attempts to add support to any devices. If you want to see linux running on an iPod Nano 2G or newer, you'll probably have to port it yourself. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs bruteforcing'''</span> | <span style="color:red">'''Needs new exploit'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 2cde96c1bede3719a7882a4f4f14419d37964e88 2456 2453 2010-02-23T13:34:33Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of February 13, iPodLinux has not made any attempts to add support to any devices. If you want to see linux running on an iPod Nano 2G or newer, you'll probably have to port it yourself. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 3ef3c35ea413461958fca48dd07ea5b630d92f79 2457 2456 2010-02-23T13:35:10Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of February 13, iPodLinux has not made any attempts to add support to any devices. If you want to see linux running on an iPod Nano 2G or newer, you'll probably have to port it yourself. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 43f6d339d1376775e1af64e7797750a2c5595d8e 2460 2457 2010-02-23T13:57:38Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of February 13, iPodLinux has not made any attempts to add support to any devices. If you want to see linux running on an iPod Nano 2G or newer, you'll probably have to port it yourself. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Write support still experimental'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 9335b3f26f32f9f2579ead1ff9c60fe619924909 2461 2460 2010-02-23T13:58:33Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. As of February 13, iPodLinux has not made any attempts to add support to any devices. If you want to see linux running on an iPod Nano 2G or newer, you'll probably have to port it yourself. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''No recovery after unclean shutdown yet'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- cd30c807ccb168f80b79a4208b4ca0a44387ab58 0 56 2446 2404 2010-02-14T11:17:51Z Farthen 28 /* Nano 4g */ wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware partition of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the filesystem of the iPod. It is unencrypted and of not much use to this project. ==Nano 4g== The Nano 4g doesn't have the ''aupd'' partition. Instead, seven new partitions were added. We assume that these have the following functions, the question mark means that we are not completely sure: appl - Bootlogo? bdhw - bad hardware? bdsw - bad software? chrg - Same as appl but when charging via usb? diag - diag mode disk - disk mode lbat - low battery mode ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 5876e7266ed4f2423716c71a1bf730fc6ddc95a1 2447 2446 2010-02-14T11:18:31Z Farthen 28 /* Nano 4g */ wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware partition of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the filesystem of the iPod. It is unencrypted and of not much use to this project. ==Nano 4g== The Nano 4g doesn't have the ''aupd'' partition. Instead, seven new partitions were added. We assume that these have the following functions, the question mark means that we are not completely sure: * appl - Bootlogo? * bdhw - bad hardware? * bdsw - bad software? * chrg - Same as appl but when charging via usb? * diag - diag mode * disk - disk mode * lbat - low battery mode ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 8fb1b9046ea30323f866fc66883602e09e8b0b03 2448 2447 2010-02-14T11:20:30Z Farthen 28 /* Nano 4g */ wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware partition of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the filesystem of the iPod. It is unencrypted and of not much use to this project. ==Nano 4g== The Nano 4g doesn't have the ''aupd'' partition. Instead, seven new partitions were added. We assume that these have the following functions, the question mark means that we are not completely sure: * appl - bootlogo? * bdhw - bad hardware? * bdsw - bad software? * chrg - Same as appl but when charging via usb? * diag - diag mode * disk - disk mode * lbat - low battery logo? ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 004ebf41e1f38271dbc63c74ef3e5e5b1303a3e0 2449 2448 2010-02-14T11:24:40Z Farthen 28 /* Nano 4g */ wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware partition of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the filesystem of the iPod. It is unencrypted and of not much use to this project. ==Nano 4g== The Nano 4g doesn't have the ''aupd'' partition. Instead, nine new partitions were added. We assume that these have the following functions, the question mark means that we are not completely sure: * appl - bootlogo? * bdhw - bad hardware? * bdsw - bad software? * chrg - sleep, but charging? * diag - diag mode * disk - disk mode * lbat - low battery logo? * osos - apple firmware * rsrc - firmware resource filesystem (integrated games etc.), unencrypted fat16 filesystem ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 3a40a30c6b5c646acc95adf0204fb97da8a25841 2450 2449 2010-02-14T11:26:27Z TheSeven 13 wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 4g== The Nano 4g doesn't have the ''aupd'' partition. Instead, seven new partitions were added. We assume that these have the following functions, the question mark means that we are not completely sure: * appl - bootlogo? * bdhw - bad hardware? * bdsw - bad software? * chrg - sleep, but charging? * diag - diag mode * disk - disk mode * lbat - low battery logo? ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 6a899926c0232eca5cbd9515e88a219c8be4f886 2451 2450 2010-02-14T11:26:52Z TheSeven 13 wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 4g== The Nano 4g doesn't have the ''aupd'' file. Instead, seven new files were added. We assume that these have the following functions, the question mark means that we are not completely sure: * appl - bootlogo? * bdhw - bad hardware? * bdsw - bad software? * chrg - sleep, but charging? * diag - diag mode * disk - disk mode * lbat - low battery logo? ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware c59fe359fe17d654899bd19d56168766cb334b86 0 146 2455 2380 2010-02-19T12:01:45Z Fergofrog 43 /* Current Themes */ wikitext text/x-wiki [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware ("osbk" image created by ipodpatcher, /iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/.rockbox/rockbox.ipod) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. (remove the first 2048 bytes). See [[Extracting firmware]] for more information. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "/.rockbox/rockbox.ipod" or "/iloader/custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. An ipodpatcher-based automated installer is currently being worked on. If you don't feel comfortable with these instructions or the issues mentioned below, we would suggest waiting for it. For more in-depth instructions, see [[ILoader Howto]]. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes]. 3b7042457e7279a4b3b92c23c7568aa2ff368222 2480 2455 2010-03-06T23:59:59Z TheSeven 13 wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''This is highly outdated!''' </div> [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. This is why iLoader has been developed. iLoader replaces the apple firmware on the firmware partition, and thus gets booted up directly by the NOR-based bootloader. It then shows the menu (you can see on the right of this page), and loads whatever firmware you like from a file located on the data partition, thus allowing easy updates of rapidly evolving alternative firmwares. ===Usage=== * Menu button: Boot iBugger Loader (/iLoader/ibugger.bin) * Left button: Boot apple firmware ("osbk" image created by ipodpatcher, /iLoader/appleos.bin (unencrypted) and /iLoader/osos.fw (encrypted) are tried in that order * Center/Select button: Boot to disk mode * Play button: Boot rockbox (/.rockbox/rockbox.ipod) * Right button: Boot an additional image of your choice (/iLoader/custom.bin) ===Installation=== '''BEWARE: Following these directions WILL delete all data on your iPod! If you select the wrong device, it may also do so on your hard drive! As usual, these instructions are supplied in the hope that it will be useful but WITHOUT ANY WARRANTY! Don't blame me if you trash your data. You should also read through the "Known Issues" section below.''' For installing on Windows: [[Installing iLoader under Windows]] Fetch the latest iLoader release (iLoader-fullfs.7z) from [http://bit.ly/oXZRO here] and unzip it. You will get three disk images, for the three available flash sizes for your iPod. If you want to keep the apple firmware, you should extract that from your iPod now (or download it [http://www.felixbruns.de/iPod/firmware here]). You'll need the "osos.fw" file, without the crypto header. (remove the first 2048 bytes). See [[Extracting firmware]] for more information. Now just unmount the iPod and dd the image file for your flash size to your iPod device (Windows users might use HxD, WinHex or some other tool of their choice) dd if=iloaderimage-Xgb.bin of=/dev/sdX; sync (use the plain device, without any partition number!) Now unplug your iPod, and after some seconds you should see the menu screen shown on the right of this page. Each button on your clickwheel is associated with a boot image. Immediately after installation, only the center and menu buttons will work, as no other firmware is installed yet. Boot to disk mode now, and place the osos.fw file into the iLoader folder on your iPod. If you want to, you can also add additional firmwares as "/.rockbox/rockbox.ipod" or "/iloader/custom.bin". Unmount your iPod, and it should boot to the iLoader menu again. From now on, the apple firmware option should work. An ipodpatcher-based automated installer is currently being worked on. If you don't feel comfortable with these instructions or the issues mentioned below, we would suggest waiting for it. For more in-depth instructions, see [[ILoader Howto]]. ===Update=== If you don't want to wipe the data partition again, you may use the following command, and then update the data partition contents manually, if neccessary: dd if=iloaderimage-Xgb.bin bs=2048 skip=63 seek=63 count=63 of=/dev/sdX; sync ===Uninstallation=== Either restore a disk image you made before installing iLoader, or just use iTunes to restore your iPod. Experienced users can also reinstall the apple firmware manually. ===Known Issues=== * You lose all data on your iPod when installing iLoader! (This happens due to the fact that the iPod gets repartitioned during the process, in order to reclaim about of ~70MB of now unused apple firmware space. For a final release into public, we will probably omit this.) * Some iPod accessories (especially Nikepod) may refuse to work if iLoader is installed. (This could also be worked around if need be.) * Do not reboot via the Menu+Select key combination shortly after you have booted up the apple firmware for the first time after installing iLoader. If you do, it will probably not save it's settings and start up with the language selection menu again the next time you boot it. I don't know at which point it will save the settings, but I have found a trick: Just connect the iPod via USB, add or remove a file, and properly unmount and unplug it. This will cause a controlled reboot, which will save the settings. * <s>There is still some trouble with Type-2 LCDs, the display will be garbled, but the bootloader itself will work. I hope to be able to fix that soon.</s> Finally fixed. * It looks like iLoader may fail to decrypt osos.fw in some very rare, but reproducible cases. This needs further investigation. Use an unencrypted appleos.bin to circumvent this for now, if you should experience that problem. ===Skinning iLoader=== If you want to replace the graphics used in iLoader, just edit the bitmap files in the iLoader directory. * You must save them as 16-bit (RGB565) uncompressed bitmaps with inversed row order. Photoshop can do that if you click "Advanced", Gimp can't, as far as I know. * The bitmaps may not be larger than your iPod's display (176x132 pixels) * The width in pixels must be a multiple of 2, the height doesn't need to. File names can be changed using a hexedit, if you want (or just recompiling it, if you manage to do that), but beware that the top button has a special entry point of 0x08600000 and the left button has the ability of decrypting a firmware image. ===Current Themes=== Themes to download can be found at: [http://l4n.clustur.com/index.php/ILoader_Themes Themes]. abc0ec4123a6d353f22b4f9a2c1d17ef1ebcd2a0 2487 2480 2010-03-07T02:44:36Z TheSeven 13 wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''This is highly outdated!''' </div> [[File:ILoader-Real.jpg|150px|thumb|right|How the iLoader menu looks like on an iPod Nano 2G]] Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. The rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable. For installation instructions, see [[ILoader Howto]]. 4d968ad46d0a7739b034cd40b29d2e50d0e0e7cf 2488 2487 2010-03-07T02:44:48Z TheSeven 13 wikitext text/x-wiki Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have it's non-neglegible bootup times. The rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable. For installation instructions, see [[ILoader Howto]]. fec6887ef5ff07075e96b7823b0acea63ce0d8cb 0 193 2470 2010-03-02T15:04:02Z TheSeven 13 Created page with 'The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version of it. The FTL is divided int...' wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version of it. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active FTL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 flash block on each bank, up to 1MB) and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free block in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn block will be swapped (inferring an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free blocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page blocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed as they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of block) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 5a2c25b7934a2e2afa1e2646a463edc7bca93f61 2471 2470 2010-03-02T17:41:49Z TheSeven 13 wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version of it. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 3a65ad9a6b528205d92b4cbab396b58010b74817 2472 2471 2010-03-02T18:19:29Z TheSeven 13 wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version of it. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. == On-Flash layout == ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 5a63f1fdd14469de21a0b78943cea56fa9e2827f 2473 2472 2010-03-02T18:38:38Z TheSeven 13 wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version of it. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; b82b19d4d3f5f6d66090cfae97a88aef4a1f499f 2474 2473 2010-03-02T19:05:14Z TheSeven 13 wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; a24928c6735372828d9166255ca56daa187d2162 2475 2474 2010-03-02T20:00:03Z TheSeven 13 wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; e5337ad5df5da3c32e36fea4f26af234e5c7d3a7 2476 2475 2010-03-02T20:07:29Z TheSeven 13 wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; panicf("FTL: Bad VFL CXT checksum!"); return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; ff9ca786ddb491e59fd4fcc99e71e57909a3b78e 2477 2476 2010-03-02T20:07:55Z TheSeven 13 /* VFL context checksums */ wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 0d3f029312d06a147c664d7a7dc244d45fcd0a99 2478 2477 2010-03-02T20:16:28Z TheSeven 13 wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 5ba37dcbcb54683cbfca2ab26cf21c886911dfd1 6 194 2483 2010-03-07T02:22:52Z TheSeven 13 The bootup screen of the default iLoader theme wikitext text/x-wiki The bootup screen of the default iLoader theme 116ab97d869c5b17519f850704735c7bdbcc6367 0 146 2553 2488 2010-03-12T16:10:22Z TheSeven 13 wikitext text/x-wiki Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have its non-neglegible bootup times. The rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable. For installation instructions, see [[ILoader Howto]]. f5b6bd8051a900bda037a31bb6ac8861f17a12e2 2583 2553 2010-03-29T05:43:15Z TheSeven 13 wikitext text/x-wiki Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have its non-neglegible bootup times. The rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable. For installation instructions, see the [http://the-seven.tk/ipod/iloader iLoader homepage]. 72645c7571f1a33dbf72b08ed0d460767d848f4b 0 116 2568 2215 2010-03-20T13:18:01Z Farthen 28 removed rockbox bootloader information (outdated/misplaced) wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger 5acfbf35a7359a24aafd42acd4ede855f1422d8f 2636 2568 2010-06-23T01:34:54Z 71.131.6.134 0 wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger can someone add how to install with iloader 14adf5d1da537180c6cf02276b1ef4606e9bd5e7 2656 2636 2010-07-05T11:41:30Z 80.153.60.105 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>[[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger can someone add how to install with iloader aa285bc3f0ee6ce1fea0f3ba543f3db47ff8b758 2674 2656 2010-07-05T11:57:05Z TheSeven 13 Reverted some crap wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger 5acfbf35a7359a24aafd42acd4ede855f1422d8f 0 98 2586 2437 2010-03-31T08:26:24Z 194.138.12.169 0 /* Exploiting, getting execution */ wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == To be documented. 82d0616a6da54c627404cde5f7b28cb453c07bfa 2625 2586 2010-05-26T03:05:56Z 65.81.157.140 0 wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionality is basically a html browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == To be documented. 7c696d3b736233bce781dc099dfe9098c37f6366 2647 2625 2010-07-05T11:35:25Z 84.160.246.70 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>== Notes vulnerability == === Basics === The notes functionality is basically a html browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == To be documented. 3240d2528bc5f0b628dfc9f05fdb9739c3774145 2683 2647 2010-07-05T11:58:12Z TheSeven 13 Reverted edits by [[Special:Contributions/84.160.246.70|84.160.246.70]] ([[User talk:84.160.246.70|Talk]]) to last version by [[User:65.81.157.140|65.81.157.140]] wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionality is basically a html browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == To be documented. 7c696d3b736233bce781dc099dfe9098c37f6366 0 121 2595 2461 2010-04-06T17:16:30Z 93.199.78.73 0 wikitext text/x-wiki This status is based on the progress the the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''No recovery after unclean shutdown yet'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- f898011eee6650ed74d003157441c9e62bfb129f 2596 2595 2010-04-06T17:16:47Z 93.199.78.73 0 wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''No recovery after unclean shutdown yet'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 9ddc82844c789b4618b1555cb05526fd115d48ed 2600 2596 2010-04-12T18:27:50Z 163.6.1.223 0 /* Basic drivers or steps: */ wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''No recovery after unclean shutdown yet'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 5e8950181bbd2fa44dc583250268570f199d44b2 2602 2600 2010-04-13T21:06:18Z TheSeven 13 Protected "[[Status]]": Excessive vandalism ([edit=sysop] (indefinite) [move=sysop] (indefinite)) wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''No recovery after unclean shutdown yet'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 5e8950181bbd2fa44dc583250268570f199d44b2 2603 2602 2010-04-13T21:07:07Z TheSeven 13 Undo revision 2600 by [[Special:Contributions/163.6.1.223|163.6.1.223]] ([[User talk:163.6.1.223|Talk]]) wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''No recovery after unclean shutdown yet'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 9ddc82844c789b4618b1555cb05526fd115d48ed 0 94 2598 1746 2010-04-10T15:14:01Z 87.172.67.214 0 fixed a small typo wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Hardware#2G_Nano_2]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Nano2G getting exec]] 62dba39be9d0aa62bc0e88e9519b22513151ee6b 2648 2598 2010-07-05T11:36:36Z 95.208.87.219 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>[[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Hardware#2G_Nano_2]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Nano2G getting exec]] 8e639c47a9bf65291938caa1463e8429358eb97e 2688 2648 2010-07-05T11:59:47Z TheSeven 13 Reverted edits by [[Special:Contributions/95.208.87.219|95.208.87.219]] ([[User talk:95.208.87.219|Talk]]) to last version by [[User:87.172.67.214|87.172.67.214]] wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Hardware#2G_Nano_2]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Nano2G getting exec]] 62dba39be9d0aa62bc0e88e9519b22513151ee6b 0 50 2612 2494 2010-05-08T11:02:43Z Farthen 28 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Please try out [http://clustur.com Clustur] - a study oriented site. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] c761218493f98a9bd9e15dae5cd36d32fefc38f7 0 54 2620 2408 2010-05-15T15:04:39Z Sinless 141 /* 4G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Click Wheel IC | There are two types of click wheel IC,CY8C214 and TS0839. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 7f8c7b06be8819ae97a95911bcf4c2b1ef50013f 2633 2620 2010-06-05T18:26:50Z Benedikt93 145 /* 3G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Click Wheel IC | There are two types of click wheel IC,CY8C214 and TS0839. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 3dbd3e17e7a1d690bc42c37502e0d99beeb35ef0 2637 2633 2010-06-25T13:23:03Z 124.90.107.70 0 /* 4G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE,The most is TOSHIBA TH58NVG6D1DLG87,Some SAMSUNG K9HCG08U5M |- | Click Wheel IC | There are two types of click wheel IC,CY8C214 and TS0839. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 57fde695485ca63bb7ba32d305addaf546e953e6 2639 2637 2010-06-26T23:42:55Z 60.186.151.95 0 /* 4G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE,The most is TOSHIBA TH58NVG6D1DLG87,Some SAMSUNG K9HCG08U5M |- | Display IC(by dumping...found it connected to the LCD) | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC,CY8C214 and TS0839. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 5d6b68b179d407dc0da4ffc8f4470b75caed1c5c 2641 2639 2010-07-04T14:48:55Z Farthen 28 /* 4G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE,The most is TOSHIBA TH58NVG6D1DLG87,Some SAMSUNG K9HCG08U5M |- | Display IC(by dumping...found it connected to the LCD) | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC,CY8C214 and TS0839. |- | Utility Flash | Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]]. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx f9c15cad70ccd47cdcd6b03cfd705935e17df2ce 2642 2641 2010-07-04T14:49:17Z Farthen 28 /* 4G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE,The most is TOSHIBA TH58NVG6D1DLG87,Some SAMSUNG K9HCG08U5M |- | Display IC(by dumping...found it connected to the LCD) | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC,CY8C214 and TS0839. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.) http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 5837164c51bdaa70687219b79035420ffc37456b 2643 2642 2010-07-04T14:58:53Z 95.115.166.141 0 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx de42bec21e14613b061e6b547ac0fd9bbac16b6c 2644 2643 2010-07-04T14:59:37Z 95.115.166.141 0 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 847379d287aba8e72dad1d543df2a7f6d4301709 2645 2644 2010-07-05T04:53:15Z Cmwslw 1 Added a template for the 5G Nano. Will fill in later wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | |- | RAM | |- | Utility Flash | |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx f2105ef358a9f6a042383c809ba92cf811e4262e 2646 2645 2010-07-05T05:11:11Z Cmwslw 1 Filled in the basic 5G hardware wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx bd420c34e0edf9275e5d77f6d79e7b89a746d554 2657 2646 2010-07-05T11:41:49Z 84.160.246.70 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 12dd3ba625e79c8ef67dc1e257131c705ddcc594 2671 2657 2010-07-05T11:48:12Z Farthen 28 Undo revision 2657 by [[Special:Contributions/84.160.246.70|84.160.246.70]] ([[User talk:84.160.246.70|Talk]]) wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano2G%2BHW%2Banalysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx bd420c34e0edf9275e5d77f6d79e7b89a746d554 0 163 2634 2242 2010-06-09T21:48:25Z 75.140.111.175 0 minor proofreading ~~~~ wikitext text/x-wiki This is a simple guide to Firmware downgrading with iTunes 8 and 9 without losing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== The 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] for the instructions above. 4e4a5776f8e24e07564d9288e943a0e9d95922c3 2658 2634 2010-07-05T11:42:04Z 84.160.246.70 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>This is a simple guide to Firmware downgrading with iTunes 8 and 9 without losing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== The 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] for the instructions above. 1be574549f569a671ea71e506a451669346a2106 2684 2658 2010-07-05T11:58:14Z TheSeven 13 Reverted edits by [[Special:Contributions/84.160.246.70|84.160.246.70]] ([[User talk:84.160.246.70|Talk]]) to last version by [[User:75.140.111.175|75.140.111.175]] wikitext text/x-wiki This is a simple guide to Firmware downgrading with iTunes 8 and 9 without losing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== The 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] for the instructions above. 4e4a5776f8e24e07564d9288e943a0e9d95922c3 0 122 2649 2462 2010-07-05T11:36:46Z 95.208.87.219 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>'''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. Done for 3G as well through an old iphone exploit on a bootrom vulnerbility The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] 647e319d72c566aa1a87c57feb4744dc31d43dd3 2687 2649 2010-07-05T11:59:46Z TheSeven 13 Reverted edits by [[Special:Contributions/95.208.87.219|95.208.87.219]] ([[User talk:95.208.87.219|Talk]]) to last version by [[User:92.116.10.174|92.116.10.174]] wikitext text/x-wiki '''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one. Done for 3G as well through an old iphone exploit on a bootrom vulnerbility The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] f174b5bd5188f8459005b20a70e9e12251e3ac5d 0 56 2650 2451 2010-07-05T11:37:01Z 80.153.60.105 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 4g== The Nano 4g doesn't have the ''aupd'' file. Instead, seven new files were added. We assume that these have the following functions, the question mark means that we are not completely sure: * appl - bootlogo? * bdhw - bad hardware? * bdsw - bad software? * chrg - sleep, but charging? * diag - diag mode * disk - disk mode * lbat - low battery logo? ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware d6669526c1c6f8a1109e6ec07e73382b4b08f8b6 2693 2650 2010-07-05T12:00:12Z TheSeven 13 Reverted edits by [[Special:Contributions/80.153.60.105|80.153.60.105]] ([[User talk:80.153.60.105|Talk]]) to last version by [[User:TheSeven|TheSeven]] wikitext text/x-wiki This article is about the firmware itself. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is under construction. :-) ==osos== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ==aupd== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ==rsrc== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 4g== The Nano 4g doesn't have the ''aupd'' file. Instead, seven new files were added. We assume that these have the following functions, the question mark means that we are not completely sure: * appl - bootlogo? * bdhw - bad hardware? * bdsw - bad software? * chrg - sleep, but charging? * diag - diag mode * disk - disk mode * lbat - low battery logo? ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware c59fe359fe17d654899bd19d56168766cb334b86 0 191 2653 2441 2010-07-05T11:40:34Z 80.153.60.105 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>(State: When taking over from norboot, IIRC, needs verification. Beware: 1 = Masked, 0 = Running!) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Clickwheel? |} bb50b9f0580f349d5554ce465b789a217e33915f 2692 2653 2010-07-05T12:00:10Z TheSeven 13 Reverted edits by [[Special:Contributions/80.153.60.105|80.153.60.105]] ([[User talk:80.153.60.105|Talk]]) to last version by [[User:95.112.167.255|95.112.167.255]] wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification. Beware: 1 = Masked, 0 = Running!) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Clickwheel? |} 3871eee67967e0dc6e293b290f25168f6ce88040 0 89 2654 1697 2010-07-05T11:40:53Z 80.153.60.105 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>[[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]] == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G%2BHW%2Banalysis]] for further PCB analysis. 846d6fb3a6f19b003a07ee7c8cf542bba75fd3e4 2691 2654 2010-07-05T12:00:09Z TheSeven 13 Reverted edits by [[Special:Contributions/80.153.60.105|80.153.60.105]] ([[User talk:80.153.60.105|Talk]]) to last version by [[User:Sto|Sto]] wikitext text/x-wiki [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]] == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through : -a pad of the chip die -a bonding wire -the top layer of the substrate -a via -the bottom layer -finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made : -desoldering of the IC -removing of the balls and filler glue -X-ray picture -microscope picture of the bottom layer -removing the bottom layer and most of the substrate (by careful manual grinding) -microscope picture of the top layer -superposition of these views, and path finding from the die to the ball == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G%2BHW%2Banalysis]] for further PCB analysis. bff4fcac12c76e9d631818345cadf9820a222a4a 0 65 2659 2436 2010-07-05T11:42:36Z 84.160.246.70 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodclassic 6G (Classic 1G)] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB 6.5G (Classic 2G)] | 2008-09 | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 21cbb2bfcb1898475245f7417046a73ac18f5c0d 2681 2659 2010-07-05T11:58:10Z TheSeven 13 Reverted edits by [[Special:Contributions/84.160.246.70|84.160.246.70]] ([[User talk:84.160.246.70|Talk]]) to last version by [[User:Farthen|Farthen]] wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodclassic 6G (Classic 1G)] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB 6.5G (Classic 2G)] | 2008-09 | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | |} ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. cf152b70989446afba4f47784e6cb0351d3b8154 0 192 2664 2435 2010-07-05T11:45:03Z 84.160.246.70 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki> static void lcd_send_cmd(uint32_t cmd) __attribute__((naked, noinline)); static void lcd_send_cmd(uint32_t cmd) { (void)cmd; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "lsc_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne lsc_wait \n\t" "strh r0, [r2,#0x4] \n\t" "mov pc, lr \n\t" ); } static void lcd_7_send_data(uint32_t data) __attribute__((naked, noinline)); static void lcd_7_send_data(uint32_t data) { (void)data; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "and r0, r0, #0xff \n\t" "strh r0, [r2,#0x40] \n\t" "ls7d_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne ls7d_wait \n\t" "mov pc, lr \n\t" ); } static void lcd_delay(uint32_t time) __attribute__((naked, noinline)); static void lcd_delay(uint32_t time) { (void)time; asm volatile( "mov r0, r0,lsl#16 \n\t" "ld_wait: \n\t" "subs r0, r0, #1 \n\t" "bne ld_wait \n\t" "mov pc, lr \n\t" ); } #define LCD_RST_TIME *((volatile uint32_t*)(0x38600024)) #define LCD_DRV_RST *((volatile uint32_t*)(0x38600028)) void main(void) { LCD_RST_TIME = 0x7FFF; LCD_DRV_RST = 0; lcd_delay(1); LCD_DRV_RST = 1; lcd_delay(5); lcd_send_cmd(0x01); lcd_7_send_data(0x00); lcd_delay(10); lcd_send_cmd(0xB1); lcd_7_send_data(0x16); lcd_7_send_data(0x03); lcd_send_cmd(0xB2); lcd_7_send_data(0x17); lcd_7_send_data(0x03); lcd_send_cmd(0xB4); lcd_7_send_data(0x00); lcd_send_cmd(0xB6); lcd_7_send_data(0x01); lcd_send_cmd(0xB7); lcd_7_send_data(0x00); lcd_7_send_data(0x00); lcd_7_send_data(0x02); lcd_7_send_data(0x00); lcd_7_send_data(0x06); lcd_7_send_data(0x26); lcd_7_send_data(0x2D); lcd_7_send_data(0x27); lcd_7_send_data(0x55); lcd_7_send_data(0x27); lcd_send_cmd(0xB8); lcd_7_send_data(0x10); lcd_send_cmd(0xB9); lcd_7_send_data(0x52); lcd_7_send_data(0x12); lcd_7_send_data(0x03); lcd_send_cmd(0xC0); lcd_7_send_data(0x0A); lcd_7_send_data(0x10); lcd_7_send_data(0x10); lcd_send_cmd(0xC2); lcd_7_send_data(0x14); lcd_7_send_data(0x23); lcd_send_cmd(0xC3); lcd_7_send_data(0x12); lcd_7_send_data(0x23); lcd_send_cmd(0xC6); lcd_7_send_data(0x48); lcd_send_cmd(0xE0); lcd_7_send_data(0x20); lcd_7_send_data(0x71); lcd_7_send_data(0x17); lcd_7_send_data(0x09); lcd_7_send_data(0x70); lcd_7_send_data(0x0C); lcd_7_send_data(0x13); lcd_7_send_data(0x25); lcd_send_cmd(0xE1); lcd_7_send_data(0x37); lcd_7_send_data(0x00); lcd_7_send_data(0x63); lcd_7_send_data(0x11); lcd_7_send_data(0xD9); lcd_7_send_data(0x00); lcd_7_send_data(0x12); lcd_7_send_data(0x01); lcd_send_cmd(0xE2); lcd_7_send_data(0x42); lcd_7_send_data(0x42); lcd_7_send_data(0x60); lcd_7_send_data(0x08); lcd_7_send_data(0xB4); lcd_7_send_data(0x07); lcd_7_send_data(0x0E); lcd_7_send_data(0x90); lcd_send_cmd(0xE3); lcd_7_send_data(0x47); lcd_7_send_data(0x60); lcd_7_send_data(0x66); lcd_7_send_data(0x09); lcd_7_send_data(0x6A); lcd_7_send_data(0x02); lcd_7_send_data(0x0E); lcd_7_send_data(0x09); lcd_send_cmd(0xE4); lcd_7_send_data(0x11); lcd_7_send_data(0x40); lcd_7_send_data(0x03); lcd_7_send_data(0x0A); lcd_7_send_data(0xC1); lcd_7_send_data(0x0D); lcd_7_send_data(0x17); lcd_7_send_data(0x30); lcd_send_cmd(0xE5); lcd_7_send_data(0x00); lcd_7_send_data(0x30); lcd_7_send_data(0x77); lcd_7_send_data(0x1C); lcd_7_send_data(0xFB); lcd_7_send_data(0x00); lcd_7_send_data(0x13); lcd_7_send_data(0x07); lcd_send_cmd(0xE6); lcd_7_send_data(0x01); lcd_send_cmd(0x35); lcd_7_send_data(0x00); lcd_send_cmd(0x36); lcd_7_send_data(0x00); lcd_send_cmd(0xF2); lcd_7_send_data(0x40); lcd_send_cmd(0xF3); lcd_7_send_data(0x50); lcd_send_cmd(0xFB); lcd_7_send_data(0x01); lcd_send_cmd(0x11); lcd_7_send_data(0x00); lcd_delay(200); lcd_send_cmd(0x3A); lcd_7_send_data(0x65); lcd_send_cmd(0x29); lcd_7_send_data(0x00); } f1b576e1137585dd862bfe32470abdbf42a30a48 2679 2664 2010-07-05T11:58:09Z TheSeven 13 Reverted edits by [[Special:Contributions/84.160.246.70|84.160.246.70]] ([[User talk:84.160.246.70|Talk]]) to last version by [[User:95.112.189.78|95.112.189.78]] wikitext text/x-wiki static void lcd_send_cmd(uint32_t cmd) __attribute__((naked, noinline)); static void lcd_send_cmd(uint32_t cmd) { (void)cmd; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "lsc_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne lsc_wait \n\t" "strh r0, [r2,#0x4] \n\t" "mov pc, lr \n\t" ); } static void lcd_7_send_data(uint32_t data) __attribute__((naked, noinline)); static void lcd_7_send_data(uint32_t data) { (void)data; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "and r0, r0, #0xff \n\t" "strh r0, [r2,#0x40] \n\t" "ls7d_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne ls7d_wait \n\t" "mov pc, lr \n\t" ); } static void lcd_delay(uint32_t time) __attribute__((naked, noinline)); static void lcd_delay(uint32_t time) { (void)time; asm volatile( "mov r0, r0,lsl#16 \n\t" "ld_wait: \n\t" "subs r0, r0, #1 \n\t" "bne ld_wait \n\t" "mov pc, lr \n\t" ); } #define LCD_RST_TIME *((volatile uint32_t*)(0x38600024)) #define LCD_DRV_RST *((volatile uint32_t*)(0x38600028)) void main(void) { LCD_RST_TIME = 0x7FFF; LCD_DRV_RST = 0; lcd_delay(1); LCD_DRV_RST = 1; lcd_delay(5); lcd_send_cmd(0x01); lcd_7_send_data(0x00); lcd_delay(10); lcd_send_cmd(0xB1); lcd_7_send_data(0x16); lcd_7_send_data(0x03); lcd_send_cmd(0xB2); lcd_7_send_data(0x17); lcd_7_send_data(0x03); lcd_send_cmd(0xB4); lcd_7_send_data(0x00); lcd_send_cmd(0xB6); lcd_7_send_data(0x01); lcd_send_cmd(0xB7); lcd_7_send_data(0x00); lcd_7_send_data(0x00); lcd_7_send_data(0x02); lcd_7_send_data(0x00); lcd_7_send_data(0x06); lcd_7_send_data(0x26); lcd_7_send_data(0x2D); lcd_7_send_data(0x27); lcd_7_send_data(0x55); lcd_7_send_data(0x27); lcd_send_cmd(0xB8); lcd_7_send_data(0x10); lcd_send_cmd(0xB9); lcd_7_send_data(0x52); lcd_7_send_data(0x12); lcd_7_send_data(0x03); lcd_send_cmd(0xC0); lcd_7_send_data(0x0A); lcd_7_send_data(0x10); lcd_7_send_data(0x10); lcd_send_cmd(0xC2); lcd_7_send_data(0x14); lcd_7_send_data(0x23); lcd_send_cmd(0xC3); lcd_7_send_data(0x12); lcd_7_send_data(0x23); lcd_send_cmd(0xC6); lcd_7_send_data(0x48); lcd_send_cmd(0xE0); lcd_7_send_data(0x20); lcd_7_send_data(0x71); lcd_7_send_data(0x17); lcd_7_send_data(0x09); lcd_7_send_data(0x70); lcd_7_send_data(0x0C); lcd_7_send_data(0x13); lcd_7_send_data(0x25); lcd_send_cmd(0xE1); lcd_7_send_data(0x37); lcd_7_send_data(0x00); lcd_7_send_data(0x63); lcd_7_send_data(0x11); lcd_7_send_data(0xD9); lcd_7_send_data(0x00); lcd_7_send_data(0x12); lcd_7_send_data(0x01); lcd_send_cmd(0xE2); lcd_7_send_data(0x42); lcd_7_send_data(0x42); lcd_7_send_data(0x60); lcd_7_send_data(0x08); lcd_7_send_data(0xB4); lcd_7_send_data(0x07); lcd_7_send_data(0x0E); lcd_7_send_data(0x90); lcd_send_cmd(0xE3); lcd_7_send_data(0x47); lcd_7_send_data(0x60); lcd_7_send_data(0x66); lcd_7_send_data(0x09); lcd_7_send_data(0x6A); lcd_7_send_data(0x02); lcd_7_send_data(0x0E); lcd_7_send_data(0x09); lcd_send_cmd(0xE4); lcd_7_send_data(0x11); lcd_7_send_data(0x40); lcd_7_send_data(0x03); lcd_7_send_data(0x0A); lcd_7_send_data(0xC1); lcd_7_send_data(0x0D); lcd_7_send_data(0x17); lcd_7_send_data(0x30); lcd_send_cmd(0xE5); lcd_7_send_data(0x00); lcd_7_send_data(0x30); lcd_7_send_data(0x77); lcd_7_send_data(0x1C); lcd_7_send_data(0xFB); lcd_7_send_data(0x00); lcd_7_send_data(0x13); lcd_7_send_data(0x07); lcd_send_cmd(0xE6); lcd_7_send_data(0x01); lcd_send_cmd(0x35); lcd_7_send_data(0x00); lcd_send_cmd(0x36); lcd_7_send_data(0x00); lcd_send_cmd(0xF2); lcd_7_send_data(0x40); lcd_send_cmd(0xF3); lcd_7_send_data(0x50); lcd_send_cmd(0xFB); lcd_7_send_data(0x01); lcd_send_cmd(0x11); lcd_7_send_data(0x00); lcd_delay(200); lcd_send_cmd(0x3A); lcd_7_send_data(0x65); lcd_send_cmd(0x29); lcd_7_send_data(0x00); } f93d7e45db234495009ff15f2a56a9e3d6928790 0 130 2667 2413 2010-07-05T11:46:16Z 84.160.246.70 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber ring each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of cmwslw's code. == Timings for resetting and rebooting iPods == {| border="1" |- ! Action ! Nano 4G ! Classic 2G |- | Reset | 5 seconds | 5 seconds |- | Reboot to main menu (cable disconnected) | 17.5 seconds | 28 seconds |- | Reboot to main menu (cable connected) | 35 seconds | 28 seconds |- | Reboot to disk mode (cable disconnected) | 2-3 seconds | 4-5 seconds |- | Reboot to disk mode (cable connected) | 11 seconds | 4-5 seconds |- |} Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior be1069ee1e9585ca85111ea4364202cd811eea4c 2676 2667 2010-07-05T11:57:38Z Farthen 28 Undo revision 2667 by [[Special:Contributions/84.160.246.70|84.160.246.70]] ([[User talk:84.160.246.70|Talk]]) wikitext text/x-wiki Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO. == Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber ring each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of cmwslw's code. == Timings for resetting and rebooting iPods == {| border="1" |- ! Action ! Nano 4G ! Classic 2G |- | Reset | 5 seconds | 5 seconds |- | Reboot to main menu (cable disconnected) | 17.5 seconds | 28 seconds |- | Reboot to main menu (cable connected) | 35 seconds | 28 seconds |- | Reboot to disk mode (cable disconnected) | 2-3 seconds | 4-5 seconds |- | Reboot to disk mode (cable connected) | 11 seconds | 4-5 seconds |- |} Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === Currently, the easiest way to test for a working iPod is to look for a line similar to: [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior e10780d177fca0335b147724cad4bfeca3a0f898 0 193 2668 2478 2010-07-05T11:46:49Z 80.153.60.105 0 wikitext text/x-wiki <nowiki>��EE��A�� � ��� �����3��# ��� �����#����������������3��# �����EEEEEEEEE</nowiki>The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; f1b94dff5c360b663fd4ab66eb35eb5d5b1053e7 2675 2668 2010-07-05T11:57:35Z Farthen 28 Undo revision 2668 by [[Special:Contributions/80.153.60.105|80.153.60.105]] ([[User talk:80.153.60.105|Talk]]) wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 5ba37dcbcb54683cbfca2ab26cf21c886911dfd1 0 121 2695 2603 2010-07-05T14:20:54Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (80/160thick) !! 2G Classic (120) !! 3G Classic (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- d37d6fca641cb090f86ab74a6e582d03efd6a43c 0 50 2697 2612 2010-07-06T15:50:37Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Categories== [[Todo list]] [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 8b547c5202a0a753b09dfe7e26d245582d73fd58 2711 2697 2010-07-13T00:47:13Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploits== * [[Pwnage 2.0]] * [[Notes exploit]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Disassembling firmware]] ==Software analysis== * [[Bootrom]] * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] ==Hardware analysis== * [[Hardware]] * [[Hardware annotation]] * [[2G analysis]] * [[S5L8701 analysis]] * [[Nano2G Clock Gates‎]] * [[Chronology]] ==Other guides== * [[MPEG Movies]] * [[Modes]] ==Categories== [[Recent activity]] [[Obtaining firmware]] [[Firmware analysis]] [[Hardware analysis]] 1eb3229698afcf2a04061b0252cd319250301517 2712 2711 2010-07-13T00:49:09Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploits== * [[Pwnage 2.0]] * [[Notes exploit]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Disassembling firmware]] ==Software analysis== * [[Bootrom]] * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] ==Hardware analysis== * [[Hardware]] * [[Hardware annotation]] * [[2G analysis]] * [[S5L8701 analysis]] * [[Nano2G Clock Gates‎]] * [[Chronology]] ==Other guides== * [[MPEG Movies]] * [[Modes]] e12b0a4017a44f9b92c130e84f954cca0e1a61cf 2716 2712 2010-07-13T01:36:22Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploits== * [[Pwnage 2.0]] * [[Notes exploit]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software analysis== * [[Bootrom]] * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] ==Hardware analysis== * [[Hardware]] * [[Hardware annotation]] * [[2G analysis]] * [[S5L8701 analysis]] * [[Nano2G Clock Gates‎]] * [[Chronology]] ==Other guides== * [[MPEG Movies]] * [[Modes]] 3b198190bd39c47a4f0323136138ae9eb02835d5 2734 2716 2010-07-13T05:39:45Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploits== * [[Pwnage 2.0]] * [[Notes exploit]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software analysis== * [[2G Nano bootrom]] * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] ==Hardware analysis== * [[Hardware]] * [[Hardware annotation]] * [[2G analysis]] * [[S5L8701 analysis]] * [[Nano2G Clock Gates‎]] * [[Chronology]] ==Other guides== * [[MPEG Movies]] * [[Modes]] db676436927285021475c1787c721929330f5498 2735 2734 2010-07-13T05:42:26Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploits== * [[Pwnage 2.0]] * [[Notes exploit]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software analysis== * [[2G Nano bootrom]] * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * [[4G Firmware Upgrade Process]] ==Hardware analysis== * [[Hardware]] * [[Hardware annotation]] * [[2G analysis]] * [[S5L8701 analysis]] * [[Nano2G Clock Gates‎]] * [[Chronology]] ==Other guides== * [[MPEG Movies]] * [[Modes]] 972752bdbbfa63834d728f4ef9486bc0d4e703fc 2736 2735 2010-07-13T05:45:34Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploits== * [[Pwnage 2.0]] * [[Notes exploit]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software analysis== * [[2G Nano bootrom]] * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * [[4G Firmware Upgrade Process]] * [[Nano2G LCD Init]] * [[Nano2G FTL]] ==Hardware analysis== * [[Hardware]] * [[Hardware annotation]] * [[2G analysis]] * [[S5L8701 analysis]] * [[Nano2G Clock Gates‎]] * [[Chronology]] ==Other guides== * [[MPEG Movies]] * [[Modes]] bbc007b4407c0731d346d93850346428d3fb513c 2737 2736 2010-07-13T05:51:11Z Cmwslw 1 clarified headings wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploits== * [[Pwnage 2.0]] * [[Notes exploit]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Released Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software efforts== * [[2G Nano bootrom]] * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * [[4G Firmware Upgrade Process]] * [[Nano2G LCD Init]] * [[Nano2G FTL]] ==Hardware efforts== * [[Hardware]] * [[Hardware annotation]] * [[2G analysis]] * [[S5L8701 analysis]] * [[Nano2G Clock Gates‎]] * [[Chronology]] ==Other guides== * [[MPEG Movies]] * [[Modes]] 8d3feaade174820fe546249ec6b044cfc3c676b6 2741 2737 2010-07-13T05:52:55Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploiting== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Released Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software efforts== * [[2G Nano bootrom]] * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * [[4G Firmware Upgrade Process]] * [[Nano2G LCD Init]] * [[Nano2G FTL]] ==Hardware efforts== * [[Hardware]] * [[Hardware annotation]] * [[2G analysis]] * [[S5L8701 analysis]] * [[Nano2G Clock Gates‎]] * [[Chronology]] ==Other guides== * [[MPEG Movies]] * [[Modes]] aa876338de1c8856ed7cd68cc07d2d5fda172434 2742 2741 2010-07-13T16:23:01Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploiting== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Released Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software efforts== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[2G Nano bootrom]] ** [[Nano2G LCD Init]] ** [[Nano2G FTL]] * Nano 4G ** [[4G Firmware Upgrade Process]] ==Hardware efforts== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[2G analysis]] ** [[S5L8701 analysis]] ** [[Nano2G Clock Gates‎]] ==Other guides== * [[MPEG Movies]] * [[Modes]] e92eda70f536b481e55a2379248d8f79f989d15c 2746 2742 2010-07-13T16:29:40Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploiting== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Released Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software efforts== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[2G Nano bootrom]] ** [[Nano2G Clock Gates‎]] ** [[Nano2G LCD Init]] ** [[Nano2G FTL]] * Nano 4G ** [[4G Firmware Upgrade Process]] ==Hardware efforts== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano 2G HW analysis]] ** [[S5L8701 analysis]] ==Other guides== * [[MPEG Movies]] * [[Modes]] b99135512a76d4972d806448fd89472164157168 2755 2746 2010-07-13T16:32:29Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploiting== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Released Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software efforts== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G Clock Gates‎]] ** [[Nano2G LCD Init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ==Hardware efforts== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ==Other guides== * [[MPEG Movies]] * [[Modes]] 41ab77b9c5e9b2602780ed6a6099281dd62d8f1b 2762 2755 2010-07-13T16:33:56Z Cmwslw 1 wikitext text/x-wiki [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. ==Project info== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ==Exploiting== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] ==Released Software== * [[iLoader]] * [[iBugger]] ==Basic skills== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] ==Software efforts== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ==Hardware efforts== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ==Other guides== * [[MPEG movies]] * [[Modes]] ae829255f60ed844b14eabacc8ae3ddb6b44635f 2763 2762 2010-07-13T17:51:08Z Cmwslw 1 Made it a table layout wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|150px|thumb|right|iBugger on the 4G Nano]] This is the wiki page for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev @ irc.freenode.net] for development related discussion. Please save questions and comments for #linux4nano. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list, but these two are rarely updated. ==Status== '''We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G!''' '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 7f8bf7686d04ae57eba3488608a5e80c62f9fa4e 2764 2763 2010-07-13T18:08:00Z Cmwslw 1 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a[http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4g nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2g! Also, read only FTL support, and 2nd Nanotron about to be running. *2009/09/05 - We would advise NOT to upgrade to iTunes 9 when it's released until more is known about it. (or any apple upgrade) We'll keep you updated '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 0ae38b431256249c594a2819aaa9ec2eaf551287 2765 2764 2010-07-13T18:08:36Z Cmwslw 1 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4g nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2g! Also, read only FTL support, and 2nd Nanotron about to be running. *2009/09/05 - We would advise NOT to upgrade to iTunes 9 when it's released until more is known about it. (or any apple upgrade) We'll keep you updated '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} d9e63c8a3ffb841c03224e3c5e8ae5ab92c578f8 2768 2765 2010-07-13T18:40:58Z Cmwslw 1 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. *2009/09/05 - We would advise NOT to upgrade to iTunes 9 when it's released until more is known about it. (or any apple upgrade) We'll keep you updated '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 26e30e17d31270a8284c2223b90cf2ef6bef3b6d 0 52 2698 2411 2010-07-12T20:07:41Z Cmwslw 1 ordered the non-DFU device IDs wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. <pre> Nano 3G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1262 Apple, Inc. Nano 4G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. More verbose output from lsusb run on a Nano 3G in DFU mode : <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple, Inc. idProduct 0x1223 bcdDevice 0.01 iManufacturer 1 Apple Computer, Inc. iProduct 2 USB DFU Device iSerial 3 87020000000001 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 2 iInterface 0 ** UNRECOGNIZED: 09 21 03 0a 00 00 08 00 01 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) </pre> ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 77a896b5777f1c76e6e742577751566a5b842022 0 200 2699 2010-07-12T22:00:59Z Cmwslw 1 Added overview of the Pwnage 2.0 exploit wikitext text/x-wiki ==Overview== Planetbeing has adapted the Pwnage 2.0 exploit to work on the iPod Nano and Classic line. This exploit is at the bootrom level, so it cannot be patched by Apple. Apple built in the functionality to upload a WTF recovery stage to the iPod when it is in DFU mode. There is a bug in the certificate parsing code that permits an unauthorized jump to an arbitrary location. It is also convenient that a payload can be embedded in the main body of the WTF. It is know that the entire WTF is copied to 0x22000000. If you put your exploit payload at 0x800 in the WTF, you should jump to 0x22000800. ==Preparing WTF== To be continued... 39a2f267df6f3849f7cb135438f6e32e554343c4 2713 2699 2010-07-13T01:20:07Z Cmwslw 1 wikitext text/x-wiki Planetbeing has adapted the Pwnage 2.0 exploit to work on the iPod Nano and Classic line. This exploit is at the bootrom level, so it cannot be patched by Apple. Apple built in the functionality to upload a WTF recovery stage to the iPod when it is in DFU mode. There is a bug in the certificate parsing code that permits an unauthorized jump to an arbitrary location. It is also convenient that a payload can be embedded in the main body of the WTF. It is know that the entire WTF is copied to 0x22000000. If you put your exploit payload at 0x800 in the WTF, you should jump to 0x22000800. The iPod Classic and Nano lines are vulnerable to Pwnage 2.0, but this vulnerability has been patched starting with the 5G Nano. ==WTF== The WTF file is the first recovery stage. It is believed that this stage facilitates the loading of a second stage. The iPhoneWiki has some limited information about WTF binaries [http://theiphonewiki.com/wiki/index.php?title=WTF here]. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads [http://www.trejan.com/projects/ipod/phobos.html here]. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu. The WTF has a header that is of length 0x600 (on the S5L8720 at least). This header is mostly zeros but it also has the length of the certificate. The certificate is at the end of the WTF. On the S5L8720 the certificate is 0xBE3 bytes long. ==Preparing WTF== In order to use the exploit, you must overwrite part of the WTF's main body with a payload. Offset 0x800 is a good place to start the payload. To be continued... c8a0e60b58565a6428f7f5c33773d7b58c7f3d13 2722 2713 2010-07-13T03:13:00Z Cmwslw 1 wikitext text/x-wiki Planetbeing has adapted the Pwnage 2.0 exploit to work on the iPod Nano and Classic line. This exploit is at the bootrom level, so it cannot be patched by Apple. Apple built in the functionality to upload a WTF recovery stage to the iPod when it is in DFU mode. There is a bug in the certificate parsing code that permits an unauthorized jump to an arbitrary location. It is also convenient that a payload can be embedded in the main body of the WTF. It is know that the entire WTF is copied to 0x22000000. If you put your exploit payload at 0x800 in the WTF, you should jump to 0x22000800. The iPod Classic and Nano lines are vulnerable to Pwnage 2.0, but this vulnerability has been patched starting with the 5G Nano. ==WTF== The WTF file is the first recovery stage. It is believed that this stage facilitates the loading of a second stage. The iPhoneWiki has some limited information about WTF binaries [http://theiphonewiki.com/wiki/index.php?title=WTF here]. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads [http://www.trejan.com/projects/ipod/phobos.html here]. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu. The WTF has a header that is of length 0x600 (on the S5L8720 at least). This header is mostly zeros but it also has the length of the certificate. In the middle is the large encrypted payload. The certificate is at the end of the WTF. On the S5L8720 the certificate is 0xBE3 bytes long. ==Preparing WTF== In order to use the exploit, you must overwrite part of the WTF's main body with a payload. Offset 0x800 is a good place to start the payload. To be continued... a08905fe1e4a0def779fa4abdbc95be2aee8064e 0 201 2700 2010-07-13T00:09:02Z Cmwslw 1 Created page with 'Compiling for the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ==Obtaining== The GN...' wikitext text/x-wiki Compiling for the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ==Obtaining== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ==Assembling== <pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin </pre> ==Disassembling== <pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm </pre> c92ebc793872c78b04a681833a4dafd6a5d58830 2714 2700 2010-07-13T01:34:24Z Cmwslw 1 Added section about IDA wikitext text/x-wiki Compiling for the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ==Obtaining== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ==Assembling== <pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin </pre> ==Disassembling== <pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm </pre> ==Preparing for IDA Pro demo== The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands: <pre> arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-elf-objcopy --set-section-flags .data=code dump.elf </pre> 2f89fd9b11a1d554046762a169aec3416aee9b4f 2715 2714 2010-07-13T01:35:44Z Cmwslw 1 wikitext text/x-wiki Compiling for the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ==Obtaining== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ==Assembling== <pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin </pre> ==Disassembling== <pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm </pre> ==Preparing for IDA Pro demo== The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands: <pre> arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-elf-objcopy --set-section-flags .data=code dump.elf </pre> ==Helpful pages== http://chdk.wikia.com/wiki/GPL_Disassembling http://www.dwelch.com/ipod/ 35fef34426da823902945bd06f324fc6f93ce92a 0 98 2708 2683 2010-07-13T00:35:38Z Cmwslw 1 moved [[Getting execution]] to [[Notes exploit]]:&#32;Getting execution was too general wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionality is basically a html browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are : *64kB files are loaded just after the boot of the nano, however they are not kept in RAM *each file is limited to 4kB *the links point to other files, or to other notes, or to media files. *the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;) There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one after UTF16 processing === File loading === The htm file is converted to UTF-16 first. This limits the possible char sequences. The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. forbidden values are : *FE FF : UTF16 BOM *D8 00 up to DF FF : not checked what happens if inserting them *00 00 : would stop string processing The opcodes to execute will be placed in the body of the htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F). An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc. Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere. == Dumping memories == For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible. All these dumps can not be published here, due to copyright issues. == UART == The UART is exactly the same than described in the datasheet. See [http://pargon.nl/?p=6 here] how to build an UART cable. my complete setup is a little bit more complex : [[Image:Nanofighter.jpg|100px|thumb]] *left board : DLC5 jtag interface, modified for reset and USB switching *right board : some programmer board, only the ST232 is used *upper board : this was the jtag scanner, now only the power supply and 5V regulator are used *middle board : all the switching stuff To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == Because UART needs HW, USB will be used to debug in the future == Analysis of the dumps == To be documented. 7c696d3b736233bce781dc099dfe9098c37f6366 2718 2708 2010-07-13T02:43:00Z Cmwslw 1 Grammar and cleanup in general wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionality is basically a HTML browser included in the iPod. Some documentation about it can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are: * 64kB files are loaded just after the boot of the iPod, however they are not kept in RAM * each file is limited to 4kB * the links point to other files, notes, or media files. * the link is limited to 256 chars. Apple documents this limit, but they don't say it can cause a buffer overflow ;) There are many buffers scattered throughout the RAM: # Some are perfect copies of the disc file, including BOM, etc... These are the ideal buffers to jump to. # Some have UTF16 processing. These are a burden but can be worked around. # Some have UTF8 processing. These are virtually unusable. The main disadvantage to this vulnerability is that small buffers must be located in megabytes of RAM. The [[Pwnage 2.0]] vulnerability is now preferred since it does not have this disadvantage. === Dealing with UTF-16 === If jumping to a UTF16-processed buffer, the possible character sequences are limited. The best thing to have the most charset possibilities is to encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. The forbidden values in UTF16 are: * FE FF: UTF16 BOM * D8 00 up to DF FF: not checked what happens if inserting them * 00 00: would stop string processing The payload is placed in the body of the .htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == (Credit for the exploit goes to [[Sto]]) To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, I had to place a second file to influence the buffer's location in order to have a return adress which conforms to UTF8 (no byte of the return address can be >7F). An example of a working overflow file set is [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. The file "Brokenlink.htm" begins with a UTF16 BOM, then "AA" as padding, then the overflowing link (the return address is 0x08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This "while(1);" does not freeze or reset the iPod, but instead just crashes the background task since interrupts are still enabled. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives at the notes payload in supervisor state, with interrupts activated (menu scrolling) and so on. Caches are also activated. Disabling them is recommended if you are performing complex IO & DMA stuff because they can interfere. == Dumping memories == For dumping the iPod's memories, first the cache was used (JTAG dumps), but it turned out that the UART is more flexible. The dumps can't be published here, due to copyright issues. == UART == The UART is exactly the same as described in the datasheet (if one did indeed exist). See [http://pargon.nl/?p=6 this guide] for building a UART cable for the iPod dock connector. My complete setup is a little bit more complex: [[Image:Nanofighter.jpg|100px|thumb]] * left board: DLC5 JTAG interface, modified for reset and USB switching * right board: some programmer board, only the ST232 is used * upper board: this was the JTAG scanner, now only the power supply and 5V regulator are used * middle board: all the switching stuff To automatically enter DFU mode, I wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == USB was eventually figured out so we no longer needed the UART cables. 807289ab251693dc114a82ea701f00c93edd0136 2738 2718 2010-07-13T05:51:54Z Cmwslw 1 moved [[Notes exploit]] to [[Notes vulnerability]] wikitext text/x-wiki == Notes vulnerability == === Basics === The notes functionality is basically a HTML browser included in the iPod. Some documentation about it can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are: * 64kB files are loaded just after the boot of the iPod, however they are not kept in RAM * each file is limited to 4kB * the links point to other files, notes, or media files. * the link is limited to 256 chars. Apple documents this limit, but they don't say it can cause a buffer overflow ;) There are many buffers scattered throughout the RAM: # Some are perfect copies of the disc file, including BOM, etc... These are the ideal buffers to jump to. # Some have UTF16 processing. These are a burden but can be worked around. # Some have UTF8 processing. These are virtually unusable. The main disadvantage to this vulnerability is that small buffers must be located in megabytes of RAM. The [[Pwnage 2.0]] vulnerability is now preferred since it does not have this disadvantage. === Dealing with UTF-16 === If jumping to a UTF16-processed buffer, the possible character sequences are limited. The best thing to have the most charset possibilities is to encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. The forbidden values in UTF16 are: * FE FF: UTF16 BOM * D8 00 up to DF FF: not checked what happens if inserting them * 00 00: would stop string processing The payload is placed in the body of the .htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == (Credit for the exploit goes to [[Sto]]) To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, I had to place a second file to influence the buffer's location in order to have a return adress which conforms to UTF8 (no byte of the return address can be >7F). An example of a working overflow file set is [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. The file "Brokenlink.htm" begins with a UTF16 BOM, then "AA" as padding, then the overflowing link (the return address is 0x08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This "while(1);" does not freeze or reset the iPod, but instead just crashes the background task since interrupts are still enabled. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives at the notes payload in supervisor state, with interrupts activated (menu scrolling) and so on. Caches are also activated. Disabling them is recommended if you are performing complex IO & DMA stuff because they can interfere. == Dumping memories == For dumping the iPod's memories, first the cache was used (JTAG dumps), but it turned out that the UART is more flexible. The dumps can't be published here, due to copyright issues. == UART == The UART is exactly the same as described in the datasheet (if one did indeed exist). See [http://pargon.nl/?p=6 this guide] for building a UART cable for the iPod dock connector. My complete setup is a little bit more complex: [[Image:Nanofighter.jpg|100px|thumb]] * left board: DLC5 JTAG interface, modified for reset and USB switching * right board: some programmer board, only the ST232 is used * upper board: this was the JTAG scanner, now only the power supply and 5V regulator are used * middle board: all the switching stuff To automatically enter DFU mode, I wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == USB was eventually figured out so we no longer needed the UART cables. 807289ab251693dc114a82ea701f00c93edd0136 2740 2738 2010-07-13T05:52:19Z Cmwslw 1 wikitext text/x-wiki === Basics === The notes functionality is basically a HTML browser included in the iPod. Some documentation about it can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are: * 64kB files are loaded just after the boot of the iPod, however they are not kept in RAM * each file is limited to 4kB * the links point to other files, notes, or media files. * the link is limited to 256 chars. Apple documents this limit, but they don't say it can cause a buffer overflow ;) There are many buffers scattered throughout the RAM: # Some are perfect copies of the disc file, including BOM, etc... These are the ideal buffers to jump to. # Some have UTF16 processing. These are a burden but can be worked around. # Some have UTF8 processing. These are virtually unusable. The main disadvantage to this vulnerability is that small buffers must be located in megabytes of RAM. The [[Pwnage 2.0]] vulnerability is now preferred since it does not have this disadvantage. === Dealing with UTF-16 === If jumping to a UTF16-processed buffer, the possible character sequences are limited. The best thing to have the most charset possibilities is to encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. The forbidden values in UTF16 are: * FE FF: UTF16 BOM * D8 00 up to DF FF: not checked what happens if inserting them * 00 00: would stop string processing The payload is placed in the body of the .htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == (Credit for the exploit goes to [[Sto]]) To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, I had to place a second file to influence the buffer's location in order to have a return adress which conforms to UTF8 (no byte of the return address can be >7F). An example of a working overflow file set is [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. The file "Brokenlink.htm" begins with a UTF16 BOM, then "AA" as padding, then the overflowing link (the return address is 0x08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This "while(1);" does not freeze or reset the iPod, but instead just crashes the background task since interrupts are still enabled. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives at the notes payload in supervisor state, with interrupts activated (menu scrolling) and so on. Caches are also activated. Disabling them is recommended if you are performing complex IO & DMA stuff because they can interfere. == Dumping memories == For dumping the iPod's memories, first the cache was used (JTAG dumps), but it turned out that the UART is more flexible. The dumps can't be published here, due to copyright issues. == UART == The UART is exactly the same as described in the datasheet (if one did indeed exist). See [http://pargon.nl/?p=6 this guide] for building a UART cable for the iPod dock connector. My complete setup is a little bit more complex: [[Image:Nanofighter.jpg|100px|thumb]] * left board: DLC5 JTAG interface, modified for reset and USB switching * right board: some programmer board, only the ST232 is used * upper board: this was the JTAG scanner, now only the power supply and 5V regulator are used * middle board: all the switching stuff To automatically enter DFU mode, I wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == USB was eventually figured out so we no longer needed the UART cables. 93398ce58c825bf7723652ae5c03dbc50cd07933 0 204 2709 2010-07-13T00:35:38Z Cmwslw 1 moved [[Getting execution]] to [[Notes exploit]]:&#32;Getting execution was too general wikitext text/x-wiki #REDIRECT [[Notes exploit]] 5cfb25bbf8360e541403c07497fd0dd9394da70e 0 122 2720 2687 2010-07-13T02:52:34Z Cmwslw 1 wikitext text/x-wiki '''NOTICE: This process is no longer needed.''' Anybody left trying this is wasting their time, but we are preserving it for reference. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| border="1" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] c74d46dd7e2f36ea4755eebace62ee8ef8294b55 0 130 2721 2676 2010-07-13T03:04:42Z Cmwslw 1 wikitext text/x-wiki '''NOTICE: This project is an old attempt at [[Address bruteforcing]].''' Nanotrons are no longer needed. Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like [[Sto]] used on the 2G. This would be more expensive but easier IMO. == Completed Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This Nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3G. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rest on one rubber ring each, come from a bicycle wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of [[cmwslw]]'s code. == Timings for resetting and rebooting iPods == {| border="1" |- ! Action ! Nano 4G ! Classic 2G |- | Reset | 5 seconds | 5 seconds |- | Reboot to main menu (cable disconnected) | 17.5 seconds | 28 seconds |- | Reboot to main menu (cable connected) | 35 seconds | 28 seconds |- | Reboot to disk mode (cable disconnected) | 2-3 seconds | 4-5 seconds |- | Reboot to disk mode (cable connected) | 11 seconds | 4-5 seconds |- |} Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === '''This info is sort of outdated but possibly useful.''' Currently, the easiest way to test for a working iPod is to look for a line similar to: <pre> [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 </pre> in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior 198d1875ec422ae8be3c31158b3b35a33c405ce9 0 146 2723 2583 2010-07-13T05:06:48Z Cmwslw 1 minor changes wikitext text/x-wiki Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have its non-neglegible bootup times. The Rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable. For installation instructions, see the [http://the-seven.tk/ipod/iloader iLoader homepage]. 94683b6da22b56c0f13abcff88af02ee88b4c94e 2724 2723 2010-07-13T05:14:52Z Cmwslw 1 wikitext text/x-wiki Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have its non-neglegible bootup times. The Rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable. iLoader only works on the 2G Nano, as this is the only iPod we've figured out the FTL for. For installation instructions, see the [http://the-seven.tk/ipod/iloader iLoader homepage]. bc75cf032de816e469c6ebe93545d1af30a5c690 0 116 2725 2674 2010-07-13T05:21:34Z Cmwslw 1 wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger Loader releases for the 2G and 4G Nanos. 2996ea199e484d35f50679220f2a15c775ff1c80 0 53 2726 2399 2010-07-13T05:27:22Z Cmwslw 1 Removed an unfounded speculation about an encryption key wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| border="1" cellpadding="5" cellspacing="0" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware d069a9d7a1a670293c73f3a0ca69c7741963ee44 0 57 2727 2400 2010-07-13T05:31:31Z Cmwslw 1 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> Also if you are using the osos.fw outputted by extract2g in iLoader you need to do the following to it first: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Then put osos.out into /iLoader/osos.fw Or alternatively, under Windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0x0 to 0x7FF, then delete this region and save. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware f9b04ca2dfed8bdb509a3dd1842b581de9b1231d 2728 2727 2010-07-13T05:34:29Z Cmwslw 1 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the Linux4nano SVN at http://svn.gna.org/viewcvs/linux4nano/trunk/tools/extract2g/. The Windows binary is provided, and the Linux version can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ===Removing header=== Also if you are using the osos.fw outputted by extract2g in iLoader you need to remove the 2 KiB header from it: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Or alternatively, under Windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0x0 to 0x7FF, then delete this region and save. Then put osos.out into /iLoader/osos.fw ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 23cbcbf9b15bb8d20bca4bef9ad251da23faf6e2 0 94 2743 2688 2010-07-13T16:26:05Z Cmwslw 1 moved [[2G analysis]] to [[Nano 2G HW analysis]]:&#32;more specific title wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Hardware#2G_Nano_2]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Nano2G getting exec]] 62dba39be9d0aa62bc0e88e9519b22513151ee6b 2749 2743 2010-07-13T16:30:59Z Cmwslw 1 moved [[Nano 2G HW analysis]] to [[Nano2G HW analysis]] wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Hardware#2G_Nano_2]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Nano2G getting exec]] 62dba39be9d0aa62bc0e88e9519b22513151ee6b 0 54 2745 2671 2010-07-13T16:27:11Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano 2G HW analysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 41f31a4b71e43cb1ea1e64262614afeaa720778e 0 263 2750 2010-07-13T16:30:59Z Cmwslw 1 moved [[Nano 2G HW analysis]] to [[Nano2G HW analysis]] wikitext text/x-wiki #REDIRECT [[Nano2G HW analysis]] 59a5a0b4571bb212c3332bfd48be0ccc83f0480e 0 186 2751 2381 2010-07-13T16:31:17Z Cmwslw 1 moved [[4G Firmware Upgrade Process]] to [[Nano4G Firmware Upgrade Process]] wikitext text/x-wiki the whole firmware update is done through a custom 0xc6 scsi command first, the update is initiated by a c6 96 00 00 00 00 00 00 00 00 packet, that will get a 4-byte response (meaning unknown) maybe the count of update log entries? then the last update log page (4KB) is read using a c6 97 00 01 00 00 00 00 00 00 packet then a new log page (4KB) is written using a c6 98 00 01 00 00 00 00 00 00 packet then there is a c6 94 00 02 80 00 00 00 00 00 00 00 00 00 00 00 packet, no idea what it's good for, no data stage the next stage is uploading the "N58s.bootloader.release.rb3" file, using a c6 90 <type> <size> 00 00 00 00 00 00 00 00 00 packet <type> is 00 for the MSE, and 01 for the RB3 file, size is the big endian 32bit file size the transfer itself is done using c6 91 00 10 00 00 00 00 00 00 packets, each (besides the last one, which is trimmed to the number of bytes left to be transferred) followed by 5 data stages, being 16384, 3584, 16384, 16384 and 12800 bytes in size I can't think of any reason for this weirds splitting, maybe it isn't even neccessary and just an itunes weirdness then the transfer is closed using a c6 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 packet the next step is uploadinf "Firmware.MSE" the same way finally a c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 is sent (no data stage), and another log entry is written that's the whole deal. -- [[User:TheSeven|TheSeven]] 22:21, 30 November 2009 (UTC) To send these commands on linux you need the scsirastools (http://scsirastools.sourceforge.net/). On Debian you have to build it youself using configure, make, make install. Once you built it run as root: sgdiag -I You will get a prompt. First type c to send a custom command, then the number of the device (the list is just above). The CDB length is 10, then the bytes are c6 ... (eg c6 97 00 01 00 00 00 00 00 00 for the first one). Response data length is 4 byte for the first command, 0 for the ones with no data stage or for uploading firmware or log sending, 4096 for log reading). The Output data length is the size of data sent to the ipod (excluding the command). That's it. If the device is an ipod you should get a response, if it isn't you will get an error message. 18fbfd6931981b97fc5da1cae5ae0c41a999709e 2753 2751 2010-07-13T16:31:41Z Cmwslw 1 moved [[Nano4G Firmware Upgrade Process]] to [[Nano4G firmware upgrade process]] wikitext text/x-wiki the whole firmware update is done through a custom 0xc6 scsi command first, the update is initiated by a c6 96 00 00 00 00 00 00 00 00 packet, that will get a 4-byte response (meaning unknown) maybe the count of update log entries? then the last update log page (4KB) is read using a c6 97 00 01 00 00 00 00 00 00 packet then a new log page (4KB) is written using a c6 98 00 01 00 00 00 00 00 00 packet then there is a c6 94 00 02 80 00 00 00 00 00 00 00 00 00 00 00 packet, no idea what it's good for, no data stage the next stage is uploading the "N58s.bootloader.release.rb3" file, using a c6 90 <type> <size> 00 00 00 00 00 00 00 00 00 packet <type> is 00 for the MSE, and 01 for the RB3 file, size is the big endian 32bit file size the transfer itself is done using c6 91 00 10 00 00 00 00 00 00 packets, each (besides the last one, which is trimmed to the number of bytes left to be transferred) followed by 5 data stages, being 16384, 3584, 16384, 16384 and 12800 bytes in size I can't think of any reason for this weirds splitting, maybe it isn't even neccessary and just an itunes weirdness then the transfer is closed using a c6 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 packet the next step is uploadinf "Firmware.MSE" the same way finally a c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 is sent (no data stage), and another log entry is written that's the whole deal. -- [[User:TheSeven|TheSeven]] 22:21, 30 November 2009 (UTC) To send these commands on linux you need the scsirastools (http://scsirastools.sourceforge.net/). On Debian you have to build it youself using configure, make, make install. Once you built it run as root: sgdiag -I You will get a prompt. First type c to send a custom command, then the number of the device (the list is just above). The CDB length is 10, then the bytes are c6 ... (eg c6 97 00 01 00 00 00 00 00 00 for the first one). Response data length is 4 byte for the first command, 0 for the ones with no data stage or for uploading firmware or log sending, 4096 for log reading). The Output data length is the size of data sent to the ipod (excluding the command). That's it. If the device is an ipod you should get a response, if it isn't you will get an error message. 18fbfd6931981b97fc5da1cae5ae0c41a999709e 0 191 2756 2692 2010-07-13T16:33:06Z Cmwslw 1 moved [[Nano2G Clock Gates]] to [[Nano2G clock gates]] wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification. Beware: 1 = Masked, 0 = Running!) ===PWRCON=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| border="1" cellpadding="5" cellspacing="0" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Clickwheel? |} 3871eee67967e0dc6e293b290f25168f6ce88040 0 192 2758 2679 2010-07-13T16:33:19Z Cmwslw 1 moved [[Nano2G LCD Init]] to [[Nano2G LCD init]] wikitext text/x-wiki static void lcd_send_cmd(uint32_t cmd) __attribute__((naked, noinline)); static void lcd_send_cmd(uint32_t cmd) { (void)cmd; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "lsc_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne lsc_wait \n\t" "strh r0, [r2,#0x4] \n\t" "mov pc, lr \n\t" ); } static void lcd_7_send_data(uint32_t data) __attribute__((naked, noinline)); static void lcd_7_send_data(uint32_t data) { (void)data; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "and r0, r0, #0xff \n\t" "strh r0, [r2,#0x40] \n\t" "ls7d_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne ls7d_wait \n\t" "mov pc, lr \n\t" ); } static void lcd_delay(uint32_t time) __attribute__((naked, noinline)); static void lcd_delay(uint32_t time) { (void)time; asm volatile( "mov r0, r0,lsl#16 \n\t" "ld_wait: \n\t" "subs r0, r0, #1 \n\t" "bne ld_wait \n\t" "mov pc, lr \n\t" ); } #define LCD_RST_TIME *((volatile uint32_t*)(0x38600024)) #define LCD_DRV_RST *((volatile uint32_t*)(0x38600028)) void main(void) { LCD_RST_TIME = 0x7FFF; LCD_DRV_RST = 0; lcd_delay(1); LCD_DRV_RST = 1; lcd_delay(5); lcd_send_cmd(0x01); lcd_7_send_data(0x00); lcd_delay(10); lcd_send_cmd(0xB1); lcd_7_send_data(0x16); lcd_7_send_data(0x03); lcd_send_cmd(0xB2); lcd_7_send_data(0x17); lcd_7_send_data(0x03); lcd_send_cmd(0xB4); lcd_7_send_data(0x00); lcd_send_cmd(0xB6); lcd_7_send_data(0x01); lcd_send_cmd(0xB7); lcd_7_send_data(0x00); lcd_7_send_data(0x00); lcd_7_send_data(0x02); lcd_7_send_data(0x00); lcd_7_send_data(0x06); lcd_7_send_data(0x26); lcd_7_send_data(0x2D); lcd_7_send_data(0x27); lcd_7_send_data(0x55); lcd_7_send_data(0x27); lcd_send_cmd(0xB8); lcd_7_send_data(0x10); lcd_send_cmd(0xB9); lcd_7_send_data(0x52); lcd_7_send_data(0x12); lcd_7_send_data(0x03); lcd_send_cmd(0xC0); lcd_7_send_data(0x0A); lcd_7_send_data(0x10); lcd_7_send_data(0x10); lcd_send_cmd(0xC2); lcd_7_send_data(0x14); lcd_7_send_data(0x23); lcd_send_cmd(0xC3); lcd_7_send_data(0x12); lcd_7_send_data(0x23); lcd_send_cmd(0xC6); lcd_7_send_data(0x48); lcd_send_cmd(0xE0); lcd_7_send_data(0x20); lcd_7_send_data(0x71); lcd_7_send_data(0x17); lcd_7_send_data(0x09); lcd_7_send_data(0x70); lcd_7_send_data(0x0C); lcd_7_send_data(0x13); lcd_7_send_data(0x25); lcd_send_cmd(0xE1); lcd_7_send_data(0x37); lcd_7_send_data(0x00); lcd_7_send_data(0x63); lcd_7_send_data(0x11); lcd_7_send_data(0xD9); lcd_7_send_data(0x00); lcd_7_send_data(0x12); lcd_7_send_data(0x01); lcd_send_cmd(0xE2); lcd_7_send_data(0x42); lcd_7_send_data(0x42); lcd_7_send_data(0x60); lcd_7_send_data(0x08); lcd_7_send_data(0xB4); lcd_7_send_data(0x07); lcd_7_send_data(0x0E); lcd_7_send_data(0x90); lcd_send_cmd(0xE3); lcd_7_send_data(0x47); lcd_7_send_data(0x60); lcd_7_send_data(0x66); lcd_7_send_data(0x09); lcd_7_send_data(0x6A); lcd_7_send_data(0x02); lcd_7_send_data(0x0E); lcd_7_send_data(0x09); lcd_send_cmd(0xE4); lcd_7_send_data(0x11); lcd_7_send_data(0x40); lcd_7_send_data(0x03); lcd_7_send_data(0x0A); lcd_7_send_data(0xC1); lcd_7_send_data(0x0D); lcd_7_send_data(0x17); lcd_7_send_data(0x30); lcd_send_cmd(0xE5); lcd_7_send_data(0x00); lcd_7_send_data(0x30); lcd_7_send_data(0x77); lcd_7_send_data(0x1C); lcd_7_send_data(0xFB); lcd_7_send_data(0x00); lcd_7_send_data(0x13); lcd_7_send_data(0x07); lcd_send_cmd(0xE6); lcd_7_send_data(0x01); lcd_send_cmd(0x35); lcd_7_send_data(0x00); lcd_send_cmd(0x36); lcd_7_send_data(0x00); lcd_send_cmd(0xF2); lcd_7_send_data(0x40); lcd_send_cmd(0xF3); lcd_7_send_data(0x50); lcd_send_cmd(0xFB); lcd_7_send_data(0x01); lcd_send_cmd(0x11); lcd_7_send_data(0x00); lcd_delay(200); lcd_send_cmd(0x3A); lcd_7_send_data(0x65); lcd_send_cmd(0x29); lcd_7_send_data(0x00); } f93d7e45db234495009ff15f2a56a9e3d6928790 2767 2758 2010-07-13T18:38:51Z Cmwslw 1 wikitext text/x-wiki This is some example code for initializing the Nano 2G's LCD: static void lcd_send_cmd(uint32_t cmd) __attribute__((naked, noinline)); static void lcd_send_cmd(uint32_t cmd) { (void)cmd; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "lsc_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne lsc_wait \n\t" "strh r0, [r2,#0x4] \n\t" "mov pc, lr \n\t" ); } static void lcd_7_send_data(uint32_t data) __attribute__((naked, noinline)); static void lcd_7_send_data(uint32_t data) { (void)data; asm volatile( "mov r2, #0x38000000 \n\t" "orr r2, r2, #0x600000 \n\t" "and r0, r0, #0xff \n\t" "strh r0, [r2,#0x40] \n\t" "ls7d_wait: \n\t" "ldrh r1, [r2,#0x1c] \n\t" "tst r1, #0x10 \n\t" "bne ls7d_wait \n\t" "mov pc, lr \n\t" ); } static void lcd_delay(uint32_t time) __attribute__((naked, noinline)); static void lcd_delay(uint32_t time) { (void)time; asm volatile( "mov r0, r0,lsl#16 \n\t" "ld_wait: \n\t" "subs r0, r0, #1 \n\t" "bne ld_wait \n\t" "mov pc, lr \n\t" ); } #define LCD_RST_TIME *((volatile uint32_t*)(0x38600024)) #define LCD_DRV_RST *((volatile uint32_t*)(0x38600028)) void main(void) { LCD_RST_TIME = 0x7FFF; LCD_DRV_RST = 0; lcd_delay(1); LCD_DRV_RST = 1; lcd_delay(5); lcd_send_cmd(0x01); lcd_7_send_data(0x00); lcd_delay(10); lcd_send_cmd(0xB1); lcd_7_send_data(0x16); lcd_7_send_data(0x03); lcd_send_cmd(0xB2); lcd_7_send_data(0x17); lcd_7_send_data(0x03); lcd_send_cmd(0xB4); lcd_7_send_data(0x00); lcd_send_cmd(0xB6); lcd_7_send_data(0x01); lcd_send_cmd(0xB7); lcd_7_send_data(0x00); lcd_7_send_data(0x00); lcd_7_send_data(0x02); lcd_7_send_data(0x00); lcd_7_send_data(0x06); lcd_7_send_data(0x26); lcd_7_send_data(0x2D); lcd_7_send_data(0x27); lcd_7_send_data(0x55); lcd_7_send_data(0x27); lcd_send_cmd(0xB8); lcd_7_send_data(0x10); lcd_send_cmd(0xB9); lcd_7_send_data(0x52); lcd_7_send_data(0x12); lcd_7_send_data(0x03); lcd_send_cmd(0xC0); lcd_7_send_data(0x0A); lcd_7_send_data(0x10); lcd_7_send_data(0x10); lcd_send_cmd(0xC2); lcd_7_send_data(0x14); lcd_7_send_data(0x23); lcd_send_cmd(0xC3); lcd_7_send_data(0x12); lcd_7_send_data(0x23); lcd_send_cmd(0xC6); lcd_7_send_data(0x48); lcd_send_cmd(0xE0); lcd_7_send_data(0x20); lcd_7_send_data(0x71); lcd_7_send_data(0x17); lcd_7_send_data(0x09); lcd_7_send_data(0x70); lcd_7_send_data(0x0C); lcd_7_send_data(0x13); lcd_7_send_data(0x25); lcd_send_cmd(0xE1); lcd_7_send_data(0x37); lcd_7_send_data(0x00); lcd_7_send_data(0x63); lcd_7_send_data(0x11); lcd_7_send_data(0xD9); lcd_7_send_data(0x00); lcd_7_send_data(0x12); lcd_7_send_data(0x01); lcd_send_cmd(0xE2); lcd_7_send_data(0x42); lcd_7_send_data(0x42); lcd_7_send_data(0x60); lcd_7_send_data(0x08); lcd_7_send_data(0xB4); lcd_7_send_data(0x07); lcd_7_send_data(0x0E); lcd_7_send_data(0x90); lcd_send_cmd(0xE3); lcd_7_send_data(0x47); lcd_7_send_data(0x60); lcd_7_send_data(0x66); lcd_7_send_data(0x09); lcd_7_send_data(0x6A); lcd_7_send_data(0x02); lcd_7_send_data(0x0E); lcd_7_send_data(0x09); lcd_send_cmd(0xE4); lcd_7_send_data(0x11); lcd_7_send_data(0x40); lcd_7_send_data(0x03); lcd_7_send_data(0x0A); lcd_7_send_data(0xC1); lcd_7_send_data(0x0D); lcd_7_send_data(0x17); lcd_7_send_data(0x30); lcd_send_cmd(0xE5); lcd_7_send_data(0x00); lcd_7_send_data(0x30); lcd_7_send_data(0x77); lcd_7_send_data(0x1C); lcd_7_send_data(0xFB); lcd_7_send_data(0x00); lcd_7_send_data(0x13); lcd_7_send_data(0x07); lcd_send_cmd(0xE6); lcd_7_send_data(0x01); lcd_send_cmd(0x35); lcd_7_send_data(0x00); lcd_send_cmd(0x36); lcd_7_send_data(0x00); lcd_send_cmd(0xF2); lcd_7_send_data(0x40); lcd_send_cmd(0xF3); lcd_7_send_data(0x50); lcd_send_cmd(0xFB); lcd_7_send_data(0x01); lcd_send_cmd(0x11); lcd_7_send_data(0x00); lcd_delay(200); lcd_send_cmd(0x3A); lcd_7_send_data(0x65); lcd_send_cmd(0x29); lcd_7_send_data(0x00); } af9d7b96af0ce35668797a9f6c93b502b6c71bf2 0 173 2760 2385 2010-07-13T16:33:32Z Cmwslw 1 moved [[MPEG Movies]] to [[MPEG movies]] wikitext text/x-wiki Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First do everything in this article ([[ILoader Howto]])including installing rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. (pressing the middle button in iLoader. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. == Several Notes == To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view. Your videos might take some time to convert. a9cf0e3944ce9feed0a38199fd3770c4f73e7dc2 0 215 2761 2010-07-13T16:33:32Z Cmwslw 1 moved [[MPEG Movies]] to [[MPEG movies]] wikitext text/x-wiki #REDIRECT [[MPEG movies]] cf66b94ea1efda4f298d49d329c54a30b4e51865 0 56 2766 2693 2010-07-13T18:32:33Z Cmwslw 1 wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' and ''aupd'' sections, but it no longer has the ''aupd'' section. Instead, seven new sections were added. We assume that these have the following functions, the question mark means that we are not completely sure: * ''appl'' - bootlogo? * ''bdhw'' - bad hardware? * ''bdsw'' - bad software? * ''chrg'' - sleep, but charging? * ''diag'' - diag mode * ''disk'' - disk mode * ''lbat'' - low battery logo? ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware c2355b10fb2737818fec01418fe5234decde04ba 0 54 2770 2745 2010-07-13T18:57:43Z Cmwslw 1 /* 1G Nano */ Fixed some broken links wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== [[Nano 2G HW analysis]] [[S5L8701 analysis]] http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 2724bced6b160c5e3fa4f5cdbc319db438c97894 2771 2770 2010-07-13T22:01:26Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 443c63a23f40d2f99d71ccb51ab7f0326dc225d2 2782 2771 2010-07-14T04:19:43Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 847c10be4fffc82a29487bb285deebfef1887040 2783 2782 2010-07-14T04:26:21Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75]. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 1393e4cc05e534c334262d20a1f16db6793d04a3 2784 2783 2010-07-14T04:35:27Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===6G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx e6cd6828b1c1b57ae854fc682bd139cc2fc35c03 2804 2784 2010-07-29T00:27:50Z Cmwslw 1 wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) http://www.ipodlinux.org/wiki/Generations http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 [http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] [http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed ===2G Nano=== http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 ===3G Nano=== http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# http://content.techrepublic.com.com/2346-13636_11-170826-1.html http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html [http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 http://purpleskank.wikidot.com/ipod-nano-5g ===1G Classic=== http://en.wikipedia.org/wiki/IPod_Classic http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===2G Classic=== Teardowns: http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c ===Other (for comparison)=== http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 7a41534dbc14cd953574cf5c839604065259855b 2805 2804 2010-07-29T00:43:21Z Cmwslw 1 /* Helpful pages */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) *http://www.ipodlinux.org/wiki/Generations *http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed ===2G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf ===3G Nano=== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 ===5G Nano=== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g ===1G Classic=== Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===2G Classic=== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c ===Other (for comparison)=== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx d5f6401fe789990275fb729f453159b5f8982822 2806 2805 2010-07-29T00:45:15Z Cmwslw 1 /* Helpful pages */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. | |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== *http://www.ipodlinux.org/wiki/Generations *http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed ===2G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf ===3G Nano=== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) ===5G Nano=== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g ===1G Classic=== Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===2G Classic=== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c ===Other (for comparison)=== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 6f384ce036e522dee57cb43a70a5ad3db42cb17a 2807 2806 2010-07-29T00:46:06Z Cmwslw 1 /* 2G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== *http://www.ipodlinux.org/wiki/Generations *http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed ===2G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf ===3G Nano=== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) ===5G Nano=== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g ===1G Classic=== Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===2G Classic=== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c ===Other (for comparison)=== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx c58223982d23835d66641beaee4c9383c0c10ed3 0 65 2772 2681 2010-07-13T22:21:55Z Cmwslw 1 wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodclassic 6G (Classic 1G)] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB 6.5G (Classic 2G)] | 2008-09 | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 39a6c2a6420a7d020d2d81ea48345712a1a45042 2798 2772 2010-07-28T22:31:02Z Cmwslw 1 added capacity fields wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | | |- | [http://support.apple.com/kb/HT1353#ipodclassic 6G (Classic 1G)] | 2007-09 | | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB 6.5G (Classic 2G)] | 2008-09 | | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | | |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 1b1c55efc077ca29a44d6aabc8fae2a9e0461899 2799 2798 2010-07-28T22:32:22Z Cmwslw 1 added the Classic 3G wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | | |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 253e5dadf179794b69616cce33315ff2a1db28dd 2800 2799 2010-07-28T22:41:33Z Cmwslw 1 Added iPod capacities wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | 5 GB or 10 GB | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | 10 GB or 20 GB | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | 20 GB or 40 GB | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | 20 GB, 30 GB, or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | 30 GB or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | 30 GB or 80 GB | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | 80 GB or 160 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | 120 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | 160 GB | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | | |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. 155767bde814df0df855d694c54d0cf705f08ee7 2801 2800 2010-07-28T22:47:23Z Cmwslw 1 Added iPod Nano capacities wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | 5 GB or 10 GB | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | 10 GB or 20 GB | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | 20 GB or 40 GB | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | 20 GB, 30 GB, or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | 30 GB or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | 30 GB or 80 GB | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | 80 GB or 160 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | 120 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | 160 GB | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | 1 GB, 2 GB, or 4 GB | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | 2 GB, 4 GB, or 8 GB | |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | 4 GB or 8 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | 8 GB or 16 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | 8 GB or 16 GB | |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. d8ac42c2c1f398d3f0a98ab370859e88ec8fac49 2802 2801 2010-07-28T22:50:35Z Cmwslw 1 Added notes for when encryption starts wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | 5 GB or 10 GB | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | 10 GB or 20 GB | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | 20 GB or 40 GB | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | 20 GB, 30 GB, or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | 30 GB or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | 30 GB or 80 GB | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | 80 GB or 160 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | 120 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | 160 GB | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | 1 GB, 2 GB, or 4 GB | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | 2 GB, 4 GB, or 8 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | 4 GB or 8 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | 8 GB or 16 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | 8 GB or 16 GB | |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. e882da599d322fc0282bd6103b33a443ff26eed3 2808 2802 2010-07-29T01:15:17Z Cmwslw 1 wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | 5 GB or 10 GB | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | 10 GB or 20 GB | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | 20 GB or 40 GB | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | 20 GB, 30 GB, or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | 30 GB or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | 30 GB or 80 GB | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | 80 GB or 160 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | 120 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | 160 GB | |} ==iPod Nano Series== {| border="1" cellpadding="5" cellspacing="0" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | 1 GB, 2 GB, or 4 GB | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | 2 GB, 4 GB, or 8 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | 4 GB or 8 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | 8 GB or 16 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | 8 GB or 16 GB | |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. ==Helpful Pages== http://support.apple.com/kb/HT1353 86598ccea50157ad7f2a3a1899f65ac6f89d280a 6 64 2773 1841 2010-07-13T22:29:21Z Cmwslw 1 uploaded a new version of "[[File:IPod Timeline.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 52 2774 2698 2010-07-14T02:11:15Z Cmwslw 1 /* DFU mode */ wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. <pre> Nano 3G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1262 Apple, Inc. Nano 4G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. More verbose output from lsusb run on a Nano 3G in DFU mode : <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple, Inc. idProduct 0x1223 bcdDevice 0.01 iManufacturer 1 Apple Computer, Inc. iProduct 2 USB DFU Device iSerial 3 87020000000001 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 2 iInterface 0 ** UNRECOGNIZED: 09 21 03 0a 00 00 08 00 01 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) </pre> ===Crafting a DFU util for the Nanos=== While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the [http://github.com/planetbeing/xpwn/tree/master modified dfu-util] by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by [https://mail.gna.org/public/linux4nano-dev/2009-04/msg00010.html this] mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos. Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 11b9c036f462f10a71c66ed82eb86c0a9bed9f77 2776 2774 2010-07-14T02:32:12Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. [[File:N4G DFU.png|thumb]] # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You should see this device on you usb listing (lsusb): <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. (for 3G) Bus XXX Device YYY: ID 05ac:1224 Apple, Inc. (also possible for 3G) Bus XXX Device YYY: ID 05ac:1225 Apple, Inc. (for 4G) </pre> The product ID depends on whether the iPod is in DFU mode or not. <pre> Nano 3G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1262 Apple, Inc. Nano 4G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1263 Apple, Inc. </pre> 05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode. To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help! The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode. More verbose output from lsusb run on a Nano 3G in DFU mode : <pre> Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple, Inc. idProduct 0x1223 bcdDevice 0.01 iManufacturer 1 Apple Computer, Inc. iProduct 2 USB DFU Device iSerial 3 87020000000001 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 27 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 2 iInterface 0 ** UNRECOGNIZED: 09 21 03 0a 00 00 08 00 01 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) </pre> ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 183973ef4792823727c55bd0269acb95468290e1 2785 2776 2010-07-14T05:01:57Z Cmwslw 1 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| border="1" cellpadding="5" cellspacing="0" ! Device !! Normal !! DFU |- | Nano 2G | ? | ? |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | ? | ? |- | Classic 1G | ? | ? |- | Classic 2G | ? | ? |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 1261108c8f821ae6089c0f2fcdb2f226bb873d70 2793 2785 2010-07-25T18:44:29Z 89.12.143.194 0 added normal/DFU mode IDs for Nano 5g -- cyf wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| border="1" cellpadding="5" cellspacing="0" ! Device !! Normal !! DFU |- | Nano 2G | ? | ? |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | ? | ? |- | Classic 2G | ? | ? |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf c088d32763dac99719c656eaec97d418796799d0 0 50 2775 2768 2010-07-14T02:29:23Z Cmwslw 1 /* Other guides */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. *2009/09/05 - We would advise NOT to upgrade to iTunes 9 when it's released until more is known about it. (or any apple upgrade) We'll keep you updated '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ===Other guides=== * [[MPEG movies]] * [[Modes]] * [[ILoader Howto]] |} 88e22493fb69c8f5252724955ab857d7f9da54ff 2781 2775 2010-07-14T02:34:00Z Cmwslw 1 /* Other guides */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. *2009/09/05 - We would advise NOT to upgrade to iTunes 9 when it's released until more is known about it. (or any apple upgrade) We'll keep you updated '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ===Other guides=== * [[MPEG movies]] * [[Modes]] * [[iLoader howto]] |} 6553717dde57be35c22e601e0907075bf9ccd7dd 2786 2781 2010-07-14T05:36:14Z Cmwslw 1 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. *2009/09/05 - We would advise NOT to upgrade to iTunes 9 when it's released until more is known about it. (or any apple upgrade) We'll keep you updated '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 2339700c684884de6c2f220c5891ee92dd3c0bf4 2795 2786 2010-07-28T17:16:44Z Cmwslw 1 Added a status update wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * Nano 2G ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 7f53aaca6e49c13acf695387aab0749326b7d2c4 6 68 2809 1574 2010-07-29T02:35:59Z Cmwslw 1 uploaded a new version of "[[File:1G frt annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2822 2809 2010-07-29T03:32:45Z Cmwslw 1 moved [[File:1G frt annotation.png]] to [[File:Nano 1g frt a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 67 2810 1562 2010-07-29T02:38:10Z Cmwslw 1 uploaded a new version of "[[File:1G bck annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2824 2810 2010-07-29T03:34:26Z Cmwslw 1 moved [[File:1G bck annotation.png]] to [[File:Nano 1g bck a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 70 2811 1575 2010-07-29T02:38:44Z Cmwslw 1 uploaded a new version of "[[File:2G frt annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2826 2811 2010-07-29T03:37:36Z Cmwslw 1 moved [[File:2G frt annotation.png]] to [[File:Nano 2g frt a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 69 2812 1576 2010-07-29T02:39:18Z Cmwslw 1 uploaded a new version of "[[File:2G bck annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2828 2812 2010-07-29T03:41:08Z Cmwslw 1 moved [[File:2G bck annotation.png]] to [[File:Nano 2g bck a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 73 2813 1579 2010-07-29T02:40:51Z Cmwslw 1 uploaded a new version of "[[File:3G frt annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2830 2813 2010-07-29T03:41:39Z Cmwslw 1 moved [[File:3G frt annotation.png]] to [[File:Nano 3g frt a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 72 2814 1578 2010-07-29T02:41:48Z Cmwslw 1 uploaded a new version of "[[File:3G bck annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2832 2814 2010-07-29T03:43:42Z Cmwslw 1 moved [[File:3G bck annotation.png]] to [[File:Nano 3g bck a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 117 2815 1810 2010-07-29T03:00:49Z Cmwslw 1 uploaded a new version of "[[File:6G frt annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 118 2816 1811 2010-07-29T03:01:34Z Cmwslw 1 uploaded a new version of "[[File:6G bck annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 75 2817 1809 2010-07-29T03:02:33Z Cmwslw 1 uploaded a new version of "[[File:4G frt annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2834 2817 2010-07-29T03:44:17Z Cmwslw 1 moved [[File:4G frt annotation.png]] to [[File:Nano 4g frt a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 74 2818 1580 2010-07-29T03:03:35Z Cmwslw 1 uploaded a new version of "[[File:4G bck annotation.png]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 119 2819 1812 2010-07-29T03:06:35Z Cmwslw 1 uploaded a new version of "[[File:6 5G frt.jpg]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 223 2823 2010-07-29T03:32:45Z Cmwslw 1 moved [[File:1G frt annotation.png]] to [[File:Nano 1g frt a.png]] wikitext text/x-wiki #REDIRECT [[File:Nano 1g frt a.png]] ce8cb5f404cdf8555e8c79345f2be03c7208681f 6 224 2825 2010-07-29T03:34:26Z Cmwslw 1 moved [[File:1G bck annotation.png]] to [[File:Nano 1g bck a.png]] wikitext text/x-wiki #REDIRECT [[File:Nano 1g bck a.png]] f68943ce5787455e3754f704632287041555aa81 6 225 2827 2010-07-29T03:37:36Z Cmwslw 1 moved [[File:2G frt annotation.png]] to [[File:Nano 2g frt a.png]] wikitext text/x-wiki #REDIRECT [[File:Nano 2g frt a.png]] 5cb4a1cdbdc6c8d5ddc3600253bb9d98ea57b7c7 6 226 2829 2010-07-29T03:41:08Z Cmwslw 1 moved [[File:2G bck annotation.png]] to [[File:Nano 2g bck a.png]] wikitext text/x-wiki #REDIRECT [[File:Nano 2g bck a.png]] 2a00cf98bab35311919c5c5e3463cb5a1c024876 6 227 2831 2010-07-29T03:41:39Z Cmwslw 1 moved [[File:3G frt annotation.png]] to [[File:Nano 3g frt a.png]] wikitext text/x-wiki #REDIRECT [[File:Nano 3g frt a.png]] eb8baf933bdb089a1ef63806b7aafc1901269cfc 6 228 2833 2010-07-29T03:43:42Z Cmwslw 1 moved [[File:3G bck annotation.png]] to [[File:Nano 3g bck a.png]] wikitext text/x-wiki #REDIRECT [[File:Nano 3g bck a.png]] 5c4f8c38fffcf2646892251cf6cdf5b082ab8224 6 229 2835 2010-07-29T03:44:17Z Cmwslw 1 moved [[File:4G frt annotation.png]] to [[File:Nano 4g frt a.png]] wikitext text/x-wiki #REDIRECT [[File:Nano 4g frt a.png]] 697af5f3cff8c76a2aca1109dd9414cf26dd14b1 6 74 2836 2818 2010-07-29T03:49:04Z Cmwslw 1 moved [[File:4G bck annotation.png]] to [[File:Nano 4g bck a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 230 2837 2010-07-29T03:49:04Z Cmwslw 1 moved [[File:4G bck annotation.png]] to [[File:Nano 4g bck a.png]] wikitext text/x-wiki #REDIRECT [[File:Nano 4g bck a.png]] c7d028666d8adf36f44d8e4f5981ffaf95fdcd18 6 117 2838 2815 2010-07-29T03:50:18Z Cmwslw 1 moved [[File:6G frt annotation.png]] to [[File:Classic 1g frt a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 231 2839 2010-07-29T03:50:18Z Cmwslw 1 moved [[File:6G frt annotation.png]] to [[File:Classic 1g frt a.png]] wikitext text/x-wiki #REDIRECT [[File:Classic 1g frt a.png]] fa343ef3ce3eee8025b252803c8411091a56bcac 6 118 2840 2816 2010-07-29T03:51:59Z Cmwslw 1 moved [[File:6G bck annotation.png]] to [[File:Classic 6g bck a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2844 2840 2010-07-29T04:11:08Z Cmwslw 1 moved [[File:Classic 6g bck a.png]] to [[File:Classic 1g bck a.png]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 232 2841 2010-07-29T03:51:59Z Cmwslw 1 moved [[File:6G bck annotation.png]] to [[File:Classic 6g bck a.png]] wikitext text/x-wiki #REDIRECT [[File:Classic 6g bck a.png]] bb2589bd5474fc23e4d9c6fe595788d46446835b 6 119 2842 2819 2010-07-29T03:54:24Z Cmwslw 1 moved [[File:6 5G frt.jpg]] to [[File:Classic 2g frt a.jpg]] wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 233 2843 2010-07-29T03:54:24Z Cmwslw 1 moved [[File:6 5G frt.jpg]] to [[File:Classic 2g frt a.jpg]] wikitext text/x-wiki #REDIRECT [[File:Classic 2g frt a.jpg]] c4b986115a6832c7febe273be1e866968116b9e5 6 234 2845 2010-07-29T04:11:08Z Cmwslw 1 moved [[File:Classic 6g bck a.png]] to [[File:Classic 1g bck a.png]] wikitext text/x-wiki #REDIRECT [[File:Classic 1g bck a.png]] 206621a985525870357e4f0f46ce9b3ab314e2af 6 235 2848 2010-07-29T05:18:58Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 236 2849 2010-07-29T05:22:11Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 54 2858 2807 2010-07-30T03:31:55Z Cmwslw 1 /* 2G Nano */ wikitext text/x-wiki Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== *http://www.ipodlinux.org/wiki/Generations *http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed ===2G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf ===3G Nano=== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) ===5G Nano=== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g ===1G Classic=== Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===2G Classic=== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c ===Other (for comparison)=== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 6d8405082b28145f16f10cfaf192127cd5333cfd 6 237 2859 2010-07-30T03:38:44Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 2860 2859 2010-07-30T03:39:28Z Cmwslw 1 uploaded a new version of "[[File:Nano 2g frt a.jpg]]" wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 238 2861 2010-07-30T03:41:07Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 239 2865 2010-07-30T03:57:08Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 50 2869 2795 2010-07-30T17:01:28Z Cmwslw 1 /* Hardware efforts */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] * [[Hardware annotation]] * [[Chronology]] * [[Nano 1G]] * [[Nano 2G]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * [[Nano 3G]] * [[Nano 4G]] * [[Nano 5G]] * [[Classic 1G]] * [[Classic 2G]] * [[Classic 3G]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} e3e0a73c46284e9f517d1977e1ea5b50c8af5d8b 2880 2869 2010-07-30T17:13:41Z Cmwslw 1 /* Hardware efforts */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware analysis]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Hardware]] * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} c9687d36957de4a7921d2c1fa9aa9903c079e731 2892 2880 2010-07-30T17:29:15Z Cmwslw 1 /* Hardware efforts */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware analysis]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Hardware]] (deprecated - use above) * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 6b98415c41a147fd298701c4c119628126f98f46 0 240 2870 2010-07-30T17:02:10Z Cmwslw 1 Created page with '[[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 4 |...' wikitext text/x-wiki [[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 4 | Portal Player PP5021C-TDF | | This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | SDRAM | 5 | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | | A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | 10 | [http://www.sst.com/products/?inode=41856 SST39WF400A] | | This chip is documented very well. A similar chip is on the Nano 2G. |- | NAND Flash | 1 | Varies | | |- | Click wheel controller | 2 | CY8C21434 | | |- | ATA flash disk controller | 3 | SST5SLD019K | | |- | Audio codec | 6 | WM8975G | | |- | Step down regulator | 7 | LM34910 | | |- | Power manager | 8 | PCF50607 | | |- | USB charging | 9 | LTC4066 | | |} 9fcde21081a1791bb306594930a36d67446f3a14 2882 2870 2010-07-30T17:20:09Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 4 | Portal Player PP5021C-TDF | | This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | SDRAM | 5 | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | | A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | 10 | [http://www.sst.com/products/?inode=41856 SST39WF400A] | | This chip is documented very well. A similar chip is on the Nano 2G. |- | NAND Flash | 1 | Varies | | |- | Click wheel controller | 2 | CY8C21434 | | |- | ATA flash disk controller | 3 | SST5SLD019K | | |- | Audio codec | 6 | WM8975G | | |- | Step down regulator | 7 | LM34910 | | |- | Power manager | 8 | PCF50607 | | |- | USB charging | 9 | LTC4066 | | |} ==Helpful pages== *http://www.ipodlinux.org/wiki/Generations ea4d82c4257b46530455a1a7c93306ff795089fb 2883 2882 2010-07-30T17:21:02Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 4 | Portal Player PP5021C-TDF | | This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | SDRAM | 5 | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | | A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | 10 | [http://www.sst.com/products/?inode=41856 SST39WF400A] | | This chip is documented very well. A similar chip is on the [[Nano 2G]]. |- | NAND Flash | 1 | Varies | | |- | Click wheel controller | 2 | CY8C21434 | | |- | ATA flash disk controller | 3 | SST5SLD019K | | |- | Audio codec | 6 | WM8975G | | |- | Step down regulator | 7 | LM34910 | | |- | Power manager | 8 | PCF50607 | | |- | USB charging | 9 | LTC4066 | | |} ==Helpful pages== *http://www.ipodlinux.org/wiki/Generations dfe5da7d26d026a78833887f1df9d6f4245be649 2902 2883 2010-07-30T20:25:47Z Cmwslw 1 /* Helpful pages */ wikitext text/x-wiki [[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 4 | Portal Player PP5021C-TDF | | This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | SDRAM | 5 | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | | A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | 10 | [http://www.sst.com/products/?inode=41856 SST39WF400A] | | This chip is documented very well. A similar chip is on the [[Nano 2G]]. |- | NAND Flash | 1 | Varies | | |- | Click wheel controller | 2 | CY8C21434 | | |- | ATA flash disk controller | 3 | SST5SLD019K | | |- | Audio codec | 6 | WM8975G | | |- | Step down regulator | 7 | LM34910 | | |- | Power manager | 8 | PCF50607 | | |- | USB charging | 9 | LTC4066 | | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed Other: *http://www.ipodlinux.org/wiki/Generations 2d4b3d32342f1f45a3d9598a2d2b56c26e753136 2903 2902 2010-07-30T20:31:24Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 4 | Portal Player PP5021C-TDF | PP5021C-TDF, L9A0633, U0530 Logo, WYH30113.1, TAIWAN | This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | SDRAM | 5 | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | SEC534 BG75, K4M56163PG, AQF061WX | A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | 10 | [http://www.sst.com/products/?inode=41856 SST39WF400A] | SST39WF400A, 90-4C-C1QE, 0528149A | This chip is documented very well. A similar chip is on the [[Nano 2G]]. |- | NAND Flash | 1 | Varies | | |- | Click wheel controller | 2 | CY8C21434 | CPMCYP, 6360A 02, K0R0512, 610881 | |- | ATA flash disk controller | 3 | SST5SLD019K | Logo, 55LD019K, 45-C-MWE, 0528071-A4 | |- | Audio codec | 6 | WM8975G | WM8975G, 56AGVF4 | |- | Step down regulator | 7 | LM34910 | JM54RE, 34910SD | |- | Power manager | 8 | PCF50607 | CF50607, 605940, Bug528, 23e/N1Y | |- | USB charging | 9 | LTC4066 | Logo, 5F, 4066, N7537 | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed Other: *http://www.ipodlinux.org/wiki/Generations 7eaffbd33e5e2d36ef1f0a2f0b9f123897a57dfa 0 241 2871 2010-07-30T17:02:46Z Cmwslw 1 Created page with '[[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 1 |...' wikitext text/x-wiki [[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 1 | Samsung S5L8701 | | System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | SDRAM | 2 | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | | [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | 3 | [http://www.sst.com/products/?inode=41422 SST39WF800A] | | stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | N/A | N/A | N/A | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |- | NAND Flash | B1 | Varies | | |- | USB charging | 6 | LTC4066 | | |- | Audio codec? | 5 | WM something? | | |- | Step down regulator | 4 | LM34910 | | |- | Power manager (below) | B2 | Probably Dialog? | | |} d93d0b06ee068314b273e47afa0680af29168133 2884 2871 2010-07-30T17:21:53Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 1 | Samsung S5L8701 | | System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | SDRAM | 2 | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | | [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | 3 | [http://www.sst.com/products/?inode=41422 SST39WF800A] | | stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | N/A | N/A | N/A | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |- | NAND Flash | B1 | Varies | | |- | USB charging | 6 | LTC4066 | | |- | Audio codec? | 5 | WM something? | | |- | Step down regulator | 4 | LM34910 | | |- | Power manager (below) | B2 | Probably Dialog? | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf 5fc17497cec2dc37c4eb0d7c93cb587ba3fa7bb5 2894 2884 2010-07-30T19:16:50Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 1 | Samsung S5L8701 |337S32918701 N042DQS 0636 ARM | System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | SDRAM | 2 | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] |SEC 637 GG75 K4M56163PG AQH373P1 | [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | 3 | [http://www.sst.com/products/?inode=41422 SST39WF800A] |SST39WF800A 90-4C-C2QE 0631287-A | stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | N/A | N/A | N/A | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |- | NAND Flash | B1 | Varies |TOSHIBA P11023 JAPAN 0636 KAE TP0560 TH58NVG5D4CTG20 | |- | USB charging | 6 | LTC4066 |Linear Technology 6H 4066 B8966 | |- | Audio codec? | 5 | WM something? |APPLE 338S0310 68BTST8 | |- | Step down regulator | 4 | LM34910 |National Semiconductor JM66RJ L34910B | |- | Power manager (below) | B2 | Probably Dialog? |APPLE 338S0261 P29T6 04 cPG0637Y 01/N2 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf 6ce25bb76a6af6b95e2f012507421121ee89fb05 2895 2894 2010-07-30T19:17:48Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 1 | Samsung S5L8701 |337S32918701 N042DQS 0636 ARM | System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | SDRAM | 2 | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] |SEC 637 GG75 K4M56163PG AQH373P1 | [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the [[Nano 1G]]. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | 3 | [http://www.sst.com/products/?inode=41422 SST39WF800A] |SST39WF800A 90-4C-C2QE 0631287-A | stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | N/A | N/A | N/A | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |- | NAND Flash | B1 | Varies |TOSHIBA P11023 JAPAN 0636 KAE TP0560 TH58NVG5D4CTG20 | |- | USB charging | 6 | LTC4066 |Linear Technology 6H 4066 B8966 | |- | Audio codec? | 5 | WM something? |APPLE 338S0310 68BTST8 | |- | Step down regulator | 4 | LM34910 |National Semiconductor JM66RJ L34910B | |- | Power manager (below) | B2 | Probably Dialog? |APPLE 338S0261 P29T6 04 cPG0637Y 01/N2 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf 7812b8ae6fc51714ead560041eb0c862d29bb1f2 0 242 2872 2010-07-30T17:03:33Z Cmwslw 1 Created page with '[[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 |...' wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | SDRAM | 3 | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 | | WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | Utility Flash | 5 | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Like the other SST chips, this one is also extremely well documented. |- | NAND Flash | 6 | Varies | | |- | Audio codec | 1 | WM1870 | | |- | Power manager | 4 | D1671B | | |} 37b2b22dfc206dd3f9a34e11dee45e205cbee7c1 2885 2872 2010-07-30T17:23:07Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | SDRAM | 3 | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 | | WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | Utility Flash | 5 | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Like the other SST chips, this one is also extremely well documented. |- | NAND Flash | 6 | Varies | | |- | Audio codec | 1 | WM1870 | | |- | Power manager | 4 | D1671B | | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] 281418b8c94456b88c1568adaeedb41d723d7eb3 2899 2885 2010-07-30T20:10:33Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8702 |337S3473 8702 NONBWOEC 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | SDRAM | 3 | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 | | WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | Utility Flash | 5 | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Like the other SST chips, this one is also extremely well documented. |- | NAND Flash | 6 | Varies |Samsung 728 K9HCG08U5M PCB0 FCF285X1 | |- | Audio codec | 1 | WM1870 | | |- | Power manager | 4 | D1671B | | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] 171442fbd55bee1f90220a93a0da2555c3384c47 2900 2899 2010-07-30T20:14:36Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8702 |337S3473 8702 NONBWOEC 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | SDRAM | 3 | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 |0728 C HYE18M256 169CX75 W3338092 | WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | Utility Flash | 5 | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Like the other SST chips, this one is also extremely well documented. |- | NAND Flash | 6 | Varies |Samsung 728 K9HCG08U5M PCB0 FCF285X1 | |- | Audio codec | 1 | WM1870 |APPLE 338S0462 76BZKTM | |- | Power manager | 4 | D1671B | | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] 8b2b6044855880f1522ebbc45a70e647e4e1274b 2901 2900 2010-07-30T20:22:28Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8702 |337S3473 8702 NONBWOEC 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | SDRAM | 3 | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 |0728 C HYE18M256 169CX75 W3338092 | WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | Utility Flash | 5 | [http://www.sst.com/products/?inode=41340 SST25VF080B] |V80B 729379 | Like the other SST chips, this one is also extremely well documented. |- | NAND Flash | 6 | Varies |Samsung 728 K9HCG08U5M PCB0 FCF285X1 | |- | Audio codec | 1 | WM1870 |APPLE 338S0462 76BZKTM | |- | Power manager | 4 | D1671B |338S0408 07258HAH | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] fccdbac13e0dbe8d3d747e5cac30152affeade5e 2904 2901 2010-07-30T20:38:44Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8702 |337S3473 8702 NONBWOEC 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | SDRAM | 3 | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 |0728 C HYE18M256 169CX75 W3338092 | WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | Utility Flash | 5 | [http://www.sst.com/products/?inode=41340 SST25VF080B] |V80B 729379 | Like the other SST chips, this one is also extremely well documented. |- | NAND Flash | 6 | Varies |Samsung 728 K9HCG08U5M PCB0 FCF285X1 | |- | Audio codec | 1 | WM1870 |APPLE 338S0462 76BZKTM | |- | Power manager | 4 | D1671B |338S0408 07258HAH | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# (View the text only version. The interactive version is broken I think) Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] de8d2579c926078ebca9ada59fa88e93f101be68 0 243 2873 2010-07-30T17:04:24Z Cmwslw 1 Created page with '[[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] WORK ON THIS {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |...' wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] WORK ON THIS {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8720 | | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | SDRAM | | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash? | 4 | Probably SST? | | |- | NAND Flash | 6 | Varies | | |- | Audio codec? | 5 | Probably Cirrus? | | |- | Power manager | 1 | Probably Dialog? | | |- | Accelerometer? | 3 | | | |} 24cc4871b5c74d055db55eefb56c55bcd363f487 2886 2873 2010-07-30T17:24:20Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== WORK ON THIS {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8720 | | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | SDRAM | | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash? | 4 | Probably SST? | | |- | NAND Flash | 6 | Varies | | |- | Audio codec? | 5 | Probably Cirrus? | | |- | Power manager | 1 | Probably Dialog? | | |- | Accelerometer? | 3 | | | |} ==Helpful pages==Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) f9bde754891baf6dcc55d30174cb53a67ade68b0 2887 2886 2010-07-30T17:24:34Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== WORK ON THIS {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8720 | | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | SDRAM | | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash? | 4 | Probably SST? | | |- | NAND Flash | 6 | Varies | | |- | Audio codec? | 5 | Probably Cirrus? | | |- | Power manager | 1 | Probably Dialog? | | |- | Accelerometer? | 3 | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) cd4ce77bb847e43a31aff4ed85a5ed330c266862 2896 2887 2010-07-30T19:39:58Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== WORK ON THIS {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8720 |339S0049 ARM K4X56323PI-KGC4 YWE025QH 825 APL0278A00 N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | SDRAM | | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash? | 4 | Probably SST? | | |- | NAND Flash | 6 | Varies | | |- | Audio codec? | 5 | Probably Cirrus? | | |- | Power manager | 1 | Probably Dialog? |338S0687-AC 08288HBB | |- | Accelerometer? | 3 | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 675b91ba3e61816d1d218dc85d6a165daf9cd56a 2897 2896 2010-07-30T19:41:14Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== WORK ON THIS {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8720 |339S0049 ARM K4X56323PI-KGC4 YWE025QH 825 APL0278A00 N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | SDRAM | | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash? | 4 | Probably SST? |33DL 2827 | |- | NAND Flash | 6 | Varies | | |- | Audio codec? | 5 | Probably Cirrus? |338S055C 189N0824 SGP | |- | Power manager | 1 | Probably Dialog? |338S0687-AC 08288HBB | |- | Accelerometer? | 3 | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 9694da82ebd1923a73ce193068b060739c36589e 2898 2897 2010-07-30T19:42:07Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== WORK ON THIS {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8720 |339S0049 ARM K4X56323PI-KGC4 YWE025QH 825 APL0278A00 N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | SDRAM | | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | Utility Flash? | 4 | Probably SST? |33DL 2827 | |- | NAND Flash | 6 | Varies |TH58NVG6D1DLA87 U20516 JAPAN 0826MAE | |- | Audio codec? | 5 | Probably Cirrus? |338S055C 189N0824 SGP | |- | Power manager | 1 | Probably Dialog? |338S0687-AC 08288HBB | |- | Accelerometer? | 3 | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) a962968d96a1691a420f3ca3dca24f0fac449269 0 244 2874 2010-07-30T17:04:47Z Cmwslw 1 Created page with '[[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]]' wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] 5fd225c027b930a346d9787539bcf3d171f6ecdf 2888 2874 2010-07-30T17:25:22Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== WORK ON THIS ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g 9dd24e5202b892c1e1f2b8bccb6ddab49ddb509a 2893 2888 2010-07-30T17:33:29Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8730 | | Printed backwards on the chip - how sneaky. |- | SDRAM | | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND Flash | 8 | Various 8/16 GB chips | | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g 542311412f7eb59646b2b8dbdc519a88322eab1b 0 245 2875 2010-07-30T17:05:21Z Cmwslw 1 Created page with '[[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front]...' wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 3 | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | SDRAM | 2 | K4X51163PE | | |- | Utility Flash | 5 | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | Audio codec | 4 | Cirrus | | |- | Power manager | 1 | Probably Dialog? | | |- | USB charging | 6 | LTC4066 | | |} 71df9e350d8c12dd6d303bc0687fc4d80f22f8b9 2889 2875 2010-07-30T17:26:48Z Cmwslw 1 wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 3 | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | SDRAM | 2 | K4X51163PE | | |- | Utility Flash | 5 | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | Audio codec | 4 | Cirrus | | |- | Power manager | 1 | Probably Dialog? | | |- | USB charging | 6 | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html 1d4419c4573ff9f0229279fdcdd53194ab11155b 0 246 2876 2010-07-30T17:07:03Z Cmwslw 1 Created page with '[[Image:classic_2g_frt_a.jpg|500px]] [[Image:classic_2g_bck_a.png|500px]] Almost exactly the same hardware, except that region A is populated. This presumably communicates with ...' wikitext text/x-wiki [[Image:classic_2g_frt_a.jpg|500px]] [[Image:classic_2g_bck_a.png|500px]] Almost exactly the same hardware, except that region A is populated. This presumably communicates with the new headphone/remote that Apple chose for this device to support. b4aa2861faa61f6c973af2888d56e124493ec51a 2890 2876 2010-07-30T17:28:11Z Cmwslw 1 wikitext text/x-wiki [[Image:classic_2g_frt_a.jpg|500px]] [[Image:classic_2g_bck_a.png|500px]] ==Components== Almost exactly the same hardware as the [[Classic 1G]], except that region A is populated. This presumably communicates with the new headphone/remote that Apple chose for this device to support. ==Helpful pages== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c 9df48954c7c17b3a54982e55c33a7281fd44da7a 0 247 2877 2010-07-30T17:07:55Z Cmwslw 1 Created page with 'No teardown pictures of the Classic 3G have been found yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ ...' wikitext text/x-wiki No teardown pictures of the Classic 3G have been found yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ a basic guide of the non-electronic differences] by iLounge. Since the model number is the same as the Classic 2G, there probably aren't any worthwhile (if any) in the hardware. f224af57bd5847a9ed3b51ccefcef9737613bc95 2891 2877 2010-07-30T17:28:48Z Cmwslw 1 wikitext text/x-wiki No teardown pictures of the Classic 3G have been found yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ a basic guide of the non-electronic differences] by iLounge. Since the model number is the same as the [[Classic 2G]], there probably aren't any worthwhile (if any) in the hardware. bf66e1f891875fdaa00ebdab4a131b9f7884b301 0 242 2905 2904 2010-07-30T20:46:08Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | CPU | 2 | Samsung S5L8702 |337S3473 8702 NONBWOEC 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | SDRAM | 3 | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 |0728 C HYE18M256 169CX75 W3338092 | SDRAM - Mobile DDR, 256Mb, 1.8V. WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | Utility Flash | 5 | [http://www.sst.com/products/?inode=41340 SST25VF080B] |V80B 729379 | Flash - NOR, 8Mb, Serial SPI |- | NAND Flash | 6 | Varies |Samsung 728 K9HCG08U5M PCB0 FCF285X1 | |- | Audio codec | 1 | WM1870 |APPLE 338S0462 76BZKTM | |- | Power manager | 4 | D1671B |338S0408 07258HAH | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] 34e2da0c9d727d969f35b2cd5225ee9c18bb21ee 2908 2905 2010-07-31T03:28:44Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8702 | 337S3473 8702, NONBWOEC, 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | 3 | SDRAM | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 | 0728, C, HYE18M256, 169CX75, W3338092 | SDRAM - Mobile DDR, 256Mb, 1.8V. WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | V80B, 729379 | Flash - NOR, 8Mb, Serial SPI |- | 6 | NAND Flash | Varies | Samsung 728, K9HCG08U5M, PCB0, FCF285X1 | |- | 1 | Audio codec | WM1870 | APPLE, 338S0462, 76BZKTM | |- | 4 | Power manager | D1671B | 338S0408, 07258HAH | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] 4f6716321e157ad7e69d7b0f8aea832cc6c8a9a4 0 240 2906 2903 2010-07-31T03:18:52Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 4 | CPU | Portal Player PP5021C-TDF | PP5021C-TDF, L9A0633, U0530 Logo, WYH30113.1, TAIWAN | This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | 5 | SDRAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | SEC534 BG75, K4M56163PG, AQF061WX | A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | 10 | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A] | SST39WF400A, 90-4C-C1QE, 0528149A | This chip is documented very well. A similar chip is on the [[Nano 2G]]. |- | 1 | NAND Flash | Varies | | |- | 2 | Click wheel controller | CY8C21434 | CPMCYP, 6360A 02, K0R0512, 610881 | |- | 3 | ATA flash disk controller | SST5SLD019K | Logo, 55LD019K, 45-C-MWE, 0528071-A4 | |- | 6 | Audio codec | WM8975G | WM8975G, 56AGVF4 | |- | 7 | Step down regulator | LM34910 | JM54RE, 34910SD | |- | 8 | Power manager | PCF50607 | CF50607, 605940, Bug528, 23e/N1Y | |- | 9 | USB charging | LTC4066 | Logo, 5F, 4066, N7537 | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed Other: *http://www.ipodlinux.org/wiki/Generations e930a9ee48fda7a8bae51702449af09ef71bf7bc 0 241 2907 2895 2010-07-31T03:26:15Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 1 | CPU | Samsung S5L8701 |337S32918701, N042DQS, 0636 ARM | System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | 2 | SDRAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] |SEC 637 GG75, K4M56163PG, AQH373P1 | [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the [[Nano 1G]]. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | 3 | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A] |SST39WF800A, 90-4C-C2QE, 0631287-A | stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | N/A | DSP | N/A | N/A | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |- | B1 | NAND Flash | Varies |TOSHIBA P11023, JAPAN 0636 KAE, TP0560, TH58NVG5D4CTG20 | |- | 6 | USB charging | LTC4066 |Linear Technology, 6H, 4066, B8966 | |- | 5 | Audio codec? | WM something? |APPLE, 338S0310, 68BTST8 | |- | 4 | Step down regulator | LM34910 |National Semiconductor, JM66RJ, L34910B | |- | B2 | Power manager (below) | Probably Dialog? |APPLE, 338S0261, P29T6 04, cPG0637Y, 01/N2 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf 53c6be08cf6ecc0beeebd4f838aed441c8e8a2b4 0 243 2909 2898 2010-07-31T03:31:11Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== WORK ON THIS {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Utility Flash? | Probably SST? | 33DL, 2827 | |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec? | Probably Cirrus? | 338S055C, 189N0824, SGP | |- | 1 | Power manager | Probably Dialog? | 338S0687-AC, 08288HBB | |- | 3 | Accelerometer? | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) bb19f39d2f7e1e8bc93483486b08e928d213268d 2917 2909 2010-07-31T04:27:20Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Utility Flash? | Probably SST? | 33DL, 2827 | |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the Nano 5G has a similar chip, which we are sure of the identity. |- | 1 | Power manager | Probably Dialog? | 338S0687-AC, 08288HBB | |- | 3 | Accelerometer? | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 2884088a4b4763c0dcdf5b1010f52beabf168570 2918 2917 2010-07-31T04:48:23Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | Probably [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the Nano 5G has a similar chip, which we are sure of the identity. |- | 1 | Power manager | Probably Dialog? | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 272c718013d87e21c25f0172aa558ba6d0794e79 2921 2918 2010-07-31T05:40:23Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the Nano 5G has a similar chip, which we are sure of the identity. |- | 1 | Power manager | Probably Dialog? | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 698474fb821d5c2dfbedafbd0cbdb7497bf443a4 2925 2921 2010-08-01T00:09:15Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. |- | 1 | Power manager | Probably Dialog? | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) b47c80339f4966d0da8182a00860792c642ef206 2928 2925 2010-08-01T05:15:21Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | Probably Dialog? | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) c9a37e666e86fa306b29d5a7644e90bc8b6997a6 0 244 2910 2893 2010-07-31T03:31:54Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Label !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g efdc3c819ef6a812a28f6e544f0ef306134fb640 2911 2910 2010-07-31T03:32:06Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g ad36d642689ce03a369ae1f04746c167a3c5c1f2 2913 2911 2010-07-31T03:35:26Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | | | | |- | 3 | | | | |- | 4 | | | | |- | 5 | | | | |- | 6 | | | | |- | 7 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g 7efa3f9f265db0801c234c1b51cb986232a33871 2915 2913 2010-07-31T03:49:14Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | | | 338S0707, -AD, 09278HGZ | |- | 3 | | | | |- | 4 | | | | |- | 5 | | | 338S0559, ATWV0926, SGP | |- | 6 | | | 33DM, 2910 | |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g feca80f8a97b39b0361ede382bed7764540176d6 2916 2915 2010-07-31T04:24:41Z Cmwslw 1 wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | | | 338S0707, -AD, 09278HGZ | |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | | | 33DM, 2910 | |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 7a957be4189a8aaebee0c51e38a31075bbb9ac39 2919 2916 2010-07-31T04:50:32Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | | | 338S0707, -AD, 09278HGZ | |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | Probably [http://www.st.com/stonline/products/literature/ds/15102/lis331dlm.htm LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 ec7bdc2250d4748fd65e081d6df22fb5c4171706 2920 2919 2010-07-31T05:01:48Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | Probably [http://www.st.com/stonline/products/literature/ds/15102/lis331dlm.htm LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 06486497f45d7e1064db9c9a7838807726beb876 2922 2920 2010-07-31T05:41:00Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | [http://www.st.com/stonline/products/literature/ds/15102/lis331dlm.htm LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 c23686b6a820254a08501e1f8e2b763e835a1531 0 245 2912 2889 2010-07-31T03:33:10Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | Cirrus | | |- | 1 | Power manager | Probably Dialog? | | |- | 6 | USB charging | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html a94c1324590d419a782e1c70e85a95e37ce161cc 2929 2912 2010-08-01T05:25:21Z Cmwslw 1 wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Components== {| border="1" cellpadding="5" cellspacing="0" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | Cirrus | | |- | 1 | Power manager | Probably Dialog? | APPLE, 338S0445, 2114.102, ZPD7383Y | |- | 6 | USB charging | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html fd310686b2bbe77e69c3128dd71c8aee0d549a7b 0 54 2914 2858 2010-07-31T03:37:58Z Cmwslw 1 wikitext text/x-wiki '''README: This page is deprecated. Refer to our [[Hardware analysis]] pages instead.''' Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S0559 |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== *http://www.ipodlinux.org/wiki/Generations *http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed ===2G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf ===3G Nano=== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) ===5G Nano=== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g ===1G Classic=== Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===2G Classic=== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c ===Other (for comparison)=== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 34121a27ddef7791f67f609d8fb30f281085f979 2924 2914 2010-07-31T06:08:22Z 115.197.123.146 0 /* 4G Nano */ wikitext text/x-wiki '''README: This page is deprecated. Refer to our [[Hardware analysis]] pages instead.''' Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S055C |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== *http://www.ipodlinux.org/wiki/Generations *http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues ===1G Nano=== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed ===2G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf ===3G Nano=== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] ===4G Nano=== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) ===5G Nano=== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g ===1G Classic=== Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html ===2G Classic=== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c ===Other (for comparison)=== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 695ecf67a7b57f2d585e1285cd6d3ee070842eee 3 249 2923 2010-07-31T06:07:45Z 115.197.123.146 0 Created page with 'Hello,i write this to tell you that the no.5 chip on the nano4 board should be a display ic,i have removed this ic and the wires under it connects to the lcd jack..sorry for my p...' wikitext text/x-wiki Hello,i write this to tell you that the no.5 chip on the nano4 board should be a display ic,i have removed this ic and the wires under it connects to the lcd jack..sorry for my poor english 27153c09f9826a933ae34211b22019b5f67480ae 2926 2923 2010-08-01T00:19:38Z Cmwslw 1 wikitext text/x-wiki Hello,i write this to tell you that the no.5 chip on the nano4 board should be a display ic,i have removed this ic and the wires under it connects to the lcd jack..sorry for my poor english :Thanks for the correction. If you still have the iPod open, could you give me the markings on the #3 chip? I haven't found any scans that are detailed enough. [[User:cmwslw|cmwslw]] 0:17, 31 June 2010 (UTC) 0ffd858302a9352199982bfef058f8960f2bec9d 2930 2926 2010-08-01T06:56:33Z Sinless 141 wikitext text/x-wiki Hello,i write this to tell you that the no.5 chip on the nano4 board should be a display ic,i have removed this ic and the wires under it connects to the lcd jack..sorry for my poor english :Thanks for the correction. If you still have the iPod open, could you give me the markings on the #3 chip? I haven't found any scans that are detailed enough. [[User:cmwslw|cmwslw]] 0:17, 31 June 2010 (UTC) Hello,I still have my nano4 open and i have two working board and one broken board(have removed all IC),tommorrow i will check the wires under No.3 And,i got iphone 3g and 3gs's empty board,can they help? b4c14c81d423b9d95b21c68437a0f3b3a7e66636 2931 2930 2010-08-01T11:20:58Z Sinless 141 wikitext text/x-wiki Hello,i write this to tell you that the no.5 chip on the nano4 board should be a display ic,i have removed this ic and the wires under it connects to the lcd jack..sorry for my poor english :Thanks for the correction. If you still have the iPod open, could you give me the markings on the #3 chip? I haven't found any scans that are detailed enough. [[User:cmwslw|cmwslw]] 0:17, 31 June 2010 (UTC) Hello,I checked the nano4 board again just now,and the wires under NO.5 connects both to LCD jack and Earphone jack..(I'm sure,they are not the GND pins,so maybe NO.5 is a multimedia chip?...) And...I can't find out the detail about NO.3 chip,it don't connect to LCD or earphone(maybe due to the broken board). I also took two photos(nano4 board with all chips removed),but the quality is low,the only camera i can use is 3GS... I have many broken ipod boards, if you have any problems about chips on them,send message to me~I can dump them and take photos... Here are the link: Board Back http://i3.6.cn/cvbnm/ce/c5/f6/01e1e35641a4b8fde7822545b20c6a5c.jpg Board Front http://i3.6.cn/cvbnm/46/be/95/bb99569adee431472c299026bd8a0136.jpg Dumped CPU http://i3.6.cn/cvbnm/c0/24/e3/fa8d051d5d2b1f50be46428010d73512.jpg 7e475552ea7348d8e242e3dbf2982db1e1d6229a 2932 2931 2010-08-01T11:22:05Z Sinless 141 wikitext text/x-wiki Hello,i write this to tell you that the no.5 chip on the nano4 board should be a display ic,i have removed this ic and the wires under it connects to the lcd jack..sorry for my poor english :Thanks for the correction. If you still have the iPod open, could you give me the markings on the #3 chip? I haven't found any scans that are detailed enough. [[User:cmwslw|cmwslw]] 0:17, 31 June 2010 (UTC) Hello,I checked the nano4 board again just now,and the wires under NO.5 connects both to LCD jack and Earphone jack..(I'm sure,they are not the GND pins,so maybe NO.5 is a multimedia chip?...) And...I can't find out the detail about NO.3 chip,it don't connect to LCD or earphone(maybe due to the broken board). I also took two photos(nano4 board with all chips removed),but the quality is low,the only camera i can use is 3GS... I have many broken ipod boards, if you have any problems about chips on them,send message to me~I can dump them and take photos... Here are the link: Board Back http://i3.6.cn/cvbnm/ce/c5/f6/01e1e35641a4b8fde7822545b20c6a5c.jpg Board Front http://i3.6.cn/cvbnm/46/be/95/bb99569adee431472c299026bd8a0136.jpg Dumped CPU http://i3.6.cn/cvbnm/c0/24/e3/fa8d051d5d2b1f50be46428010d73512.jpg 8c95982073537b349ff43b407af4bbb7470a6643 0 50 2927 2892 2010-08-01T03:23:10Z Cmwslw 1 /* Hardware efforts */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware analysis]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 01eaba2cbac942589bfdb04a29da668044fea96f 2933 2927 2010-08-01T16:47:06Z Cmwslw 1 /* Updates */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/01 - serpilliere managed to access and dump the SPI flash on the Nano 3G. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[GNU ARM toolchain]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware analysis]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} be7302be98a66c126837da52ba6ea0825d072383 2939 2933 2010-08-01T22:39:04Z Cmwslw 1 /* Basic skills */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/01 - serpilliere managed to access and dump the SPI flash on the Nano 3G. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware encryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware analysis]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 679104abc2a98432101540affb38fe8557d30dc1 2956 2939 2010-08-02T23:08:06Z Cmwslw 1 /* Software efforts */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/01 - serpilliere managed to access and dump the SPI flash on the Nano 3G. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware analysis]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} e60bb3fc5258db88bdd50972abe10137d540eec5 0 52 2934 2793 2010-08-01T17:22:52Z Teuf 147 add classic3g dfu usb id wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| border="1" cellpadding="5" cellspacing="0" ! Device !! Normal !! DFU |- | Nano 2G | ? | ? |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | ? | ? |- | Classic 2G | ? | ? |- | Classic 3G | ? | 1223 |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 65a57b40a2144d65a46fc57275b66479f12bbbe6 2935 2934 2010-08-01T17:41:52Z Teuf 147 /* Getting DFU mode on 3G/4G */ add classic3g usb id wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| border="1" cellpadding="5" cellspacing="0" ! Device !! Normal !! DFU |- | Nano 2G | ? | ? |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | ? | ? |- | Classic 2G | ? | ? |- | Classic 3G | 1261 | 1223 |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 559ea66152d5b754d11cbc7f413dbea3b5c9342c 0 201 2936 2715 2010-08-01T22:23:24Z Cmwslw 1 moved [[GNU ARM toolchain]] to [[Working with binaries]]:&#32;this needs to be more general wikitext text/x-wiki Compiling for the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ==Obtaining== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ==Assembling== <pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin </pre> ==Disassembling== <pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm </pre> ==Preparing for IDA Pro demo== The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands: <pre> arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-elf-objcopy --set-section-flags .data=code dump.elf </pre> ==Helpful pages== http://chdk.wikia.com/wiki/GPL_Disassembling http://www.dwelch.com/ipod/ 35fef34426da823902945bd06f324fc6f93ce92a 2938 2936 2010-08-01T22:38:49Z Cmwslw 1 wikitext text/x-wiki ==GNU ARM toolchain== Compiling for the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ===Obtaining=== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ===Assembling=== <pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin </pre> ===Disassembling=== <pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm </pre> ==IDA Pro demo== ===IDA Pro 5.7 paid=== This is the best version if you can pay. One of the main advantages over its demo version is that you can save project files. ===IDA Pro 5.7 demo=== This is the best version if you don't want to pay. It can't save or open binary files, but there is a workaround to opening binaries. The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands: <pre> arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-elf-objcopy --set-section-flags .data=code dump.elf </pre> ===IDA Pro 4.9 freeware=== This version is tempting to download but useless since it doesn't support ARM. ==Helpful pages== http://chdk.wikia.com/wiki/GPL_Disassembling http://www.dwelch.com/ipod/ e87ae1420834290ce949f05f41eaffbf834997cf 2946 2938 2010-08-02T18:10:34Z Cmwslw 1 /* GNU ARM toolchain */ wikitext text/x-wiki ==GNU ARM toolchain== Working with the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ===Obtaining=== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ===Assembling=== <pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin </pre> ===Disassembling=== <pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm </pre> ==IDA Pro demo== ===IDA Pro 5.7 paid=== This is the best version if you can pay. One of the main advantages over its demo version is that you can save project files. ===IDA Pro 5.7 demo=== This is the best version if you don't want to pay. It can't save or open binary files, but there is a workaround to opening binaries. The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands: <pre> arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-elf-objcopy --set-section-flags .data=code dump.elf </pre> ===IDA Pro 4.9 freeware=== This version is tempting to download but useless since it doesn't support ARM. ==Helpful pages== http://chdk.wikia.com/wiki/GPL_Disassembling http://www.dwelch.com/ipod/ cc3d825ca8a03fa638dee13bee2e9070959dff80 2947 2946 2010-08-02T18:32:35Z Cmwslw 1 /* IDA Pro demo */ wikitext text/x-wiki ==GNU ARM toolchain== Working with the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ===Obtaining=== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ===Assembling=== <pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin </pre> ===Disassembling=== <pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm </pre> ==IDA Pro== ===Distributions=== ====IDA Pro 5.7 paid==== This is the best version if you can pay. One of the main advantages over its demo version is that you can save project files. ====IDA Pro 5.7 demo==== This is the best version if you don't want to pay. It can't save or open binary files, but there is a workaround to opening binaries. The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands: <pre> arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-elf-objcopy --set-section-flags .data=code dump.elf </pre> ====IDA Pro 4.9 freeware==== This version is tempting to download but useless since it doesn't support ARM. ===Usage=== #To create a new disassembly database, go to File->New... #Select "Binary/Raw File" under the "Various files" tab #Select the binary file you want to examine #Click next. You don't need the analysis options #The processor you should select is "ARM processors: ARM". Click next #Click finish. Now you are asked about memory mapping. Fill out the info and press OK. #IDA will now create the project file. Sometimes it freezes but if it does just try these steps again. There should be two popups concerning thumb mode and your program's entry point. Press OK for both of them. #Go to 0x02000000 and press 'C'. This tells IDA that this is code. All the other code should appear now. #You are good to go. Happy analyzing! ==Helpful pages== http://chdk.wikia.com/wiki/GPL_Disassembling http://www.dwelch.com/ipod/ b8321676acaf2442b476317d2e3405256b986810 2949 2947 2010-08-02T18:35:17Z Cmwslw 1 /* Usage */ wikitext text/x-wiki ==GNU ARM toolchain== Working with the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ===Obtaining=== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ===Assembling=== <pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin </pre> ===Disassembling=== <pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm </pre> ==IDA Pro== ===Distributions=== ====IDA Pro 5.7 paid==== This is the best version if you can pay. One of the main advantages over its demo version is that you can save project files. ====IDA Pro 5.7 demo==== This is the best version if you don't want to pay. It can't save or open binary files, but there is a workaround to opening binaries. The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands: <pre> arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-elf-objcopy --set-section-flags .data=code dump.elf </pre> ====IDA Pro 4.9 freeware==== This version is tempting to download but useless since it doesn't support ARM. ===Usage=== [[Image:ida_config.png|thumb]] #To create a new disassembly database, go to File->New... #Select "Binary/Raw File" under the "Various files" tab #Select the binary file you want to examine #Click next. You don't need the analysis options #The processor you should select is "ARM processors: ARM". Click next #Click finish. Now you are asked about memory mapping. To the right is an example for the 4G bootrom. Fill out the info and press OK. #IDA will now create the project file. Sometimes it freezes but if it does just try these steps again. There should be two popups concerning thumb mode and your program's entry point. Press OK for both of them. #Go to 0x02000000 and press 'C'. This tells IDA that this is code. All the other code should appear now. #You are good to go. Happy analyzing! ==Helpful pages== http://chdk.wikia.com/wiki/GPL_Disassembling http://www.dwelch.com/ipod/ 31a78ed7e2c663d893fdae1861aced300daaa6cd 0 200 2940 2722 2010-08-01T23:01:56Z Cmwslw 1 wikitext text/x-wiki Planetbeing has adapted the Pwnage 2.0 exploit to work on the iPod Nano and Classic line. This exploit is at the bootrom level, so it cannot be patched by Apple. Apple built in the functionality to upload a WTF recovery stage to the iPod when it is in DFU mode. There is a bug in the certificate parsing code that permits an unauthorized jump to an arbitrary location. It is also convenient that a payload can be embedded in the main body of the WTF. It is know that the entire WTF is copied to 0x22000000. If you put your exploit payload at 0x800 in the WTF, you should jump to 0x22000800. The iPod Classic and Nano lines are vulnerable to Pwnage 2.0, but this vulnerability has been patched starting with the [[5G Nano]]. ==WTF== The WTF file is the first recovery stage. It is believed that this stage facilitates the loading of a second stage. The iPhoneWiki has some limited information about WTF binaries [http://theiphonewiki.com/wiki/index.php?title=WTF here]. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads [http://www.trejan.com/projects/ipod/phobos.html here]. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu. The WTF has a header that is of length 0x600 (on the S5L8720 at least). This header is mostly zeros but it also has the length of the certificate. In the middle is the large encrypted payload. The certificate is at the end of the WTF. On the S5L8720 the certificate is 0xBE3 bytes long. ==Preparing WTF== In order to use the exploit, you must overwrite part of the WTF's main body with a payload. Offset 0x800 is a good place to start the payload. To be continued... 7cd80795ea5e054ace5a856cdb58ec3c108e352a 2941 2940 2010-08-01T23:02:12Z Cmwslw 1 wikitext text/x-wiki Planetbeing has adapted the Pwnage 2.0 exploit to work on the iPod Nano and Classic line. This exploit is at the bootrom level, so it cannot be patched by Apple. Apple built in the functionality to upload a WTF recovery stage to the iPod when it is in DFU mode. There is a bug in the certificate parsing code that permits an unauthorized jump to an arbitrary location. It is also convenient that a payload can be embedded in the main body of the WTF. It is know that the entire WTF is copied to 0x22000000. If you put your exploit payload at 0x800 in the WTF, you should jump to 0x22000800. The iPod Classic and Nano lines are vulnerable to Pwnage 2.0, but this vulnerability has been patched starting with the [[Nano 5G]]. ==WTF== The WTF file is the first recovery stage. It is believed that this stage facilitates the loading of a second stage. The iPhoneWiki has some limited information about WTF binaries [http://theiphonewiki.com/wiki/index.php?title=WTF here]. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads [http://www.trejan.com/projects/ipod/phobos.html here]. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu. The WTF has a header that is of length 0x600 (on the S5L8720 at least). This header is mostly zeros but it also has the length of the certificate. In the middle is the large encrypted payload. The certificate is at the end of the WTF. On the S5L8720 the certificate is 0xBE3 bytes long. ==Preparing WTF== In order to use the exploit, you must overwrite part of the WTF's main body with a payload. Offset 0x800 is a good place to start the payload. To be continued... e7828d021718556c7b3b5d1199f45a6734861017 0 121 2942 2695 2010-08-01T23:04:51Z Cmwslw 1 /* Basic drivers or steps: */ wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! 2G Nano !! 3G Nano !! 4G Nano !! 5G Nano !! 1G Classic (aka 6G) !! 2G Classic (aka 6.5G) !! 3G Classic |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 1280205a12e275cfe57a48244c7509023b0df38a 2943 2942 2010-08-01T23:05:41Z Cmwslw 1 /* Custom firmware */ wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 3d836d088f16170d78519488e650fe1bdee910b7 2945 2943 2010-08-01T23:09:16Z Cmwslw 1 /* Custom firmware */ wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes''', see [http://l4n.clustur.com/index.php/ILoader_howto#Uncapping here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 1d35dc5d423f4fed146ba3d16a3c234455c175f9 6 251 2948 2010-08-02T18:33:03Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 4 115 2950 2445 2010-08-02T18:45:00Z Cmwslw 1 wikitext text/x-wiki This wiki was started in order to collect all information about the linux4nano project, whether that be on the IRC, website, or mailing list, and compile it all into a convenient and organized location. Please feel free to add/edit information (it is a wiki after all). Please keep in mind that this wiki is for the purpose of cracking the iPod encryption. While we want to find out as much about the iPod as we can, we need to try to keep only information relevant to cracking the iPod in the wiki. This keeps the wiki informative, but still concise. Also, when editing the wiki, please be sure to include sources (for plagiarism, but mostly for convenience). Also, '''speculation is good'''! Since this is an ongoing project, some things might not be known for sure. Even still, it is important to put speculation in this wiki to keep ideas flowing. Just make sure you mark speculation by using a question mark or something. 584e2ed218bb8e55aa1a35551f119bd7000a8b25 6 252 2951 2010-08-02T18:54:05Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 66 2952 2407 2010-08-02T23:07:29Z Cmwslw 1 moved [[Firmware encryption]] to [[Firmware decryption]] wikitext text/x-wiki Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ 14697d64b7c4ce99fb6d6ef271a6ccdbed32079c 0 253 2953 2010-08-02T23:07:29Z Cmwslw 1 moved [[Firmware encryption]] to [[Firmware decryption]] wikitext text/x-wiki #REDIRECT [[Firmware decryption]] 5746cb455225adf97487e0dec8f2719df78a46d1 1 76 2954 2214 2010-08-02T23:07:29Z Cmwslw 1 moved [[Talk:Firmware encryption]] to [[Talk:Firmware decryption]] wikitext text/x-wiki you need access to the aes engine. what happens is the bootloader has a "salt", if that is the correct word for it, as I am not a crypto expert, and that is encrypted with the system gid key. the result of that was used as the key, with an IV of 0, to decrypt the firmware files. now, the thing is, this gid key is never loaded into ram, so any time you need to need to utilize it, you need direct access to the aes engine. this means, basically, you need to be able to write to the registers directly, no kernel or anything to get in the way. hopefully this helps, that is how it worked for the iPod touch and iPhone before Apple came out with the new KBAG method, so it should probably give you a push in the right direction. I have no idea how the nano does stuff, so I don't know how feasible this would actually be for you all. [[User:Chronic|Chronic]] 01:50, 26 March 2009 (UTC) The nano in fact uses the GID key directly on the data. --[[User:TheSeven|TheSeven]] 21:44, 23 September 2009 (UTC) == DSP == Can DSP be involved in encrypt-decrypt process? Newer chips sometimes include embedded encryption unit, but n2g's CPU does not - so why dont use DSP. Need more info on "CalmRisc16+MAC2424". The nano in fact has a crypto coprocessor, which is pretty much 8900-like. --[[User:TheSeven|TheSeven]] 21:44, 23 September 2009 (UTC) bd4e19e31095d686be94f6ef4241305ccd4f91a3 1 254 2955 2010-08-02T23:07:29Z Cmwslw 1 moved [[Talk:Firmware encryption]] to [[Talk:Firmware decryption]] wikitext text/x-wiki #REDIRECT [[Talk:Firmware decryption]] 2fee55b20f30b9fef172a7e3fa779056e172d950 0 54 2957 2924 2010-08-02T23:12:17Z Cmwslw 1 /* Helpful pages */ wikitext text/x-wiki '''README: This page is deprecated. Refer to our [[Hardware analysis]] pages instead.''' Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. ==1G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A]. This chip is documented very well. A similar chip is on the Nano 2G. |} ==2G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8701 System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | RAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | DSP | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |} ==3G Nano and Classic== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8702 ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | RAM | Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75. |- | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B]. Like the other SST chips, this one is also extremely well documented. |} ==4G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | Samsung S5L8720 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | RAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | NAND FLASH | LGA TYPE, The most is TOSHIBA TH58NVG6D1DLG87, Some SAMSUNG K9HCG08U5M |- | LCD controller | APPLE 338S055C |- | PMU | APPLE 338S0807 |- | Click Wheel IC | There are two types of click wheel IC: CY8C214 and TS0839. |} ==5G Nano== {| border="1" cellpadding="5" cellspacing="0" ! Component !! Details |- | CPU | S5L8730. Printed backwards on the chip - how sneaky. |- | RAM | Integrated |- | Utility Flash | Various 8/16 GB chips. One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |} ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 1a91016b977a93dadc3f78c0994deb45627ee5f5 2958 2957 2010-08-02T23:24:17Z Cmwslw 1 wikitext text/x-wiki '''README: This page is deprecated. Refer to our [[Hardware analysis]] pages instead.''' Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page. For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page. {| border="1" cellpadding="5" cellspacing="0" ! Generation !! CPU !! Utility flash, size !! RAM size |- |[[Nano 1G]] |PP5021C-TDF | | |- |[[Nano 2G]] | | | |- |[[Nano 3G]] | | | |- |[[Nano 4G]] | | | |- |[[Nano 5G]] | | | |- |[[Classic 1G]] | | | |- |[[Classic 2G]] | | | |- |[[Classic 3G]] | | | |} ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 6888d47a40608b826434bb9f9666d772de7e4faf 2960 2958 2010-08-03T00:15:52Z Cmwslw 1 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| border="1" cellpadding="5" cellspacing="0" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Classic 1G]] | | | | | |- |[[Classic 2G]] | | | | | |- |[[Classic 3G]] | | | | | |} ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 4c62066ac26510e690e0715346a8e18989ff7bcf 2961 2960 2010-08-03T00:23:53Z Cmwslw 1 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| border="1" cellpadding="5" cellspacing="0" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx bcc9bdbdc13b4a1ea68b94537204a564f05ddc20 2963 2961 2010-08-03T00:26:11Z Cmwslw 1 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| border="1" cellpadding="5" cellspacing="0" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: *If you can prove or disprove any of these chip names, please let us know on the mailing list. *The sources for the original and annotated PCB scans can found at http://l4n.clustur.com/data/board_imgs. ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 5ec35ff7824d36c6d22648e30aa2dfa35085d1ae 2995 2963 2010-08-05T15:11:35Z Cmwslw 1 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: *If you can prove or disprove any of these chip names, please let us know on the mailing list. *The sources for the original and annotated PCB scans can found at http://l4n.clustur.com/data/board_imgs. ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 4331c6ea2347ec1aa18e1a3cc348e2963d5583fc 0 66 2959 2952 2010-08-03T00:15:17Z User890104 124 wikitext text/x-wiki Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption Starting with iPod Nano 2G, the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via iBugger in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded. The ipodcrypt utility has the following features: for Nano 2G: - encrypt/decrypt DFU image - encrypt/decrypt firmware file contents - encrypt/decrypt dump of NOR flash's contents for Nano 4G: - decrypt firmware file contents The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt. You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux. Windows First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below) Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads You also need pyUSB (http://pyusb.sourceforge.net/) - a Python module that provides command for communicating with USB devices. Its download page is: http://sourceforge.net/projects/pyusb/files/ (newer versions) or http://developer.berlios.de/project/showfiles.php?group_id=4354 (another mirror). The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver. Important note: If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended. To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual. Important note 2: You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions Linux Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with: easy_install install pyusb Otherwise, you need to download it and install it manually as in the Windows instructions. To install libusb, you need to use your distribution's package management utility and look for libusb, then install it. Mac OS X (to be added later) ==Helpful pages== http://ipodlinux.org/wiki/Flash_Decryption http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ d810a20aeae6e293909acf487a06e1078074ff78 2964 2959 2010-08-03T00:37:28Z Cmwslw 1 wikitext text/x-wiki ==Background== Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded. ==ipodcrypt== The ipodcrypt utility has the following features: for [[Nano 2G]]: *encrypt/decrypt DFU image *encrypt/decrypt firmware file contents *encrypt/decrypt dump of NOR flash's contents for [[Nano 4G]]: *decrypt firmware file contents The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt. You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux. Windows First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below) Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads You also need pyUSB (http://pyusb.sourceforge.net/) - a Python module that provides command for communicating with USB devices. Its download page is: http://sourceforge.net/projects/pyusb/files/ (newer versions) or http://developer.berlios.de/project/showfiles.php?group_id=4354 (another mirror). The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver. Important note: If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended. To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual. Important note 2: You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions Linux Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with: easy_install install pyusb Otherwise, you need to download it and install it manually as in the Windows instructions. To install libusb, you need to use your distribution's package management utility and look for libusb, then install it. Mac OS X (to be added later) ==Helpful pages== http://ipodlinux.org/wiki/Flash_Decryption http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ ca595c2fef11fa67f857a361e94a5c8116a0fa80 2965 2964 2010-08-03T00:39:52Z Cmwslw 1 wikitext text/x-wiki ==Background== Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded. ==ipodcrypt== The ipodcrypt utility has the following features: for [[Nano 2G]]: *encrypt/decrypt DFU image *encrypt/decrypt firmware file contents *encrypt/decrypt dump of NOR flash's contents for [[Nano 4G]]: *decrypt firmware file contents The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt. You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux. ==Prerequisites== ===Windows=== First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below) Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads You also need pyUSB (http://pyusb.sourceforge.net/) - a Python module that provides command for communicating with USB devices. Its download page is: http://sourceforge.net/projects/pyusb/files/ (newer versions) or http://developer.berlios.de/project/showfiles.php?group_id=4354 (another mirror). The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver. Important note: If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended. To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual. Important note 2: You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions ===Linux=== Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with: easy_install install pyusb Otherwise, you need to download it and install it manually as in the Windows instructions. To install libusb, you need to use your distribution's package management utility and look for libusb, then install it. ===Mac OS X=== (to be added later) ==Helpful pages== http://ipodlinux.org/wiki/Flash_Decryption http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ b4e473328ab5a451ba04d981fc32352e644549be 2966 2965 2010-08-03T00:48:27Z Cmwslw 1 /* Prerequisites */ wikitext text/x-wiki ==Background== Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded. ==ipodcrypt== The ipodcrypt utility has the following features: for [[Nano 2G]]: *encrypt/decrypt DFU image *encrypt/decrypt firmware file contents *encrypt/decrypt dump of NOR flash's contents for [[Nano 4G]]: *decrypt firmware file contents The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt. You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux. ==Prerequisites== ===Windows=== First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below) Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads You also need [http://pyusb.sourceforge.net/ pyUSB] - a Python module for communicating with USB devices. Its download page is: You can get it from the [http://sourceforge.net/projects/pyusb/files/ download page] or [http://developer.berlios.de/project/showfiles.php?group_id=4354 another mirror]. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver. '''Important note''': If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended. To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual. '''Important note 2''': You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions ===Linux=== Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with: <pre> easy_install install pyusb </pre> Otherwise, you need to download it and install it manually as in the Windows instructions. To install libusb, you need to use your distribution's package management utility and look for libusb, then install it. ===Mac OS X=== (to be added later) ==Helpful pages== http://ipodlinux.org/wiki/Flash_Decryption http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ a2f8873d1fc66b25e1bc1d4e5e419ffd792f5f02 0 50 2962 2956 2010-08-03T00:25:00Z Cmwslw 1 /* Hardware efforts */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/01 - serpilliere managed to access and dump the SPI flash on the Nano 3G. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G bootrom]] ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 677cf5c1fcae0736c3e4ad7ec29269c70341a88a 2967 2962 2010-08-03T00:49:56Z Cmwslw 1 /* Software efforts */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/01 - serpilliere managed to access and dump the SPI flash on the Nano 3G. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. *2009/09/15 - Guide for installing iLoader on any 2G: http://bit.ly/2K6hHy *2009/09/06 - Working dual-booting bootloader for 2G! Also, read only FTL support, and 2nd Nanotron about to be running. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 463874862655151c9776cd228394012099e26f31 2968 2967 2010-08-03T00:54:11Z Cmwslw 1 /* Updates */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/02 - serpilliere managed to decrypt the NOR flash on the Nano 3G. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the Nano 3G. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the 5th generation iPod Nano! Minimalistic iBugger working on Nano 3G! *2009/11/01 - iBugger core v0.1 successfully running on 4G nano! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on 4G Nano via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for 2G Nano is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the 4G Nano! Also, *VERY* primitive Rockbox running on 2G Nano. '''[[iLoader]] needs beta-testers (Nano 2G)!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} cafd17476a523caf9c2b218ee46474c02395c867 2969 2968 2010-08-03T00:58:25Z Cmwslw 1 /* Updates */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for [[Nano 2G]] is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the [[Nano 4G]]! Also, *VERY* primitive Rockbox running on [[Nano 2G]]. '''[[iLoader]] needs beta-testers ([[Nano 2G]])!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 87540dc1c089c99c9f9e075aaedb26d74727c719 2971 2969 2010-08-03T01:06:02Z Cmwslw 1 /* Hardware efforts */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for [[Nano 2G]] is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do *2009/09/16 - We now have code execution on the [[Nano 4G]]! Also, *VERY* primitive Rockbox running on [[Nano 2G]]. '''[[iLoader]] needs beta-testers ([[Nano 2G]])!''' Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} c6397f2298548568e26387e2fefcd1fba629ff70 2974 2971 2010-08-03T20:49:15Z Cmwslw 1 /* Updates */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for [[Nano 2G]] is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 4079e429069215ae2327f578d88f0454d56e85d9 2978 2974 2010-08-04T19:35:41Z Cmwslw 1 /* Project info */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. *2009/10/07 - RB for [[Nano 2G]] is close to being stable. Working on UART for 4G - anyone have an iPT 2G+know about ARM7_go? Hop on #linux4nano-dev if you do Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 5554b7bffa183983725684f43e6e2f1feb68425c 3006 2978 2010-08-05T15:18:42Z Cmwslw 1 /* Updates */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development here: http://bit.ly/cQAuam *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} c88a6b75ed97448b611710d501b501a228b89b06 0 255 2970 1644 2010-08-03T01:04:45Z Cmwslw 1 wikitext text/x-wiki [[Image:8700 ball layout.png|thumb|S5L8700 ball layout (not the iPod's, though)]] The datasheet for the S5L8700X was found [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here]. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. ==Package differences== The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version. [http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html This forum thread] describes the pinout of another S5L8700 package in another device (see right for ball layout). ==Helpful pages== http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues 3b220251bfba230797542bebccd6acf0e58decd1 0 116 2972 2725 2010-08-03T17:22:55Z Cmwslw 1 wikitext text/x-wiki [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] '''Starting August 3, 2010, development of iBugger has stopped in favor of a more useful debugger in [[emBIOS]].''' The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger Loader releases for the 2G and 4G Nanos. 32c3ee44fead47f0c356499d14690e10cfef1599 0 121 2973 2945 2010-08-03T19:32:16Z Cmwslw 1 /* Basic drivers or steps: */ wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| border="1" cellpadding="5" cellspacing="0" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| border="1" cellpadding="5" cellspacing="0" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes''', see [http://l4n.clustur.com/index.php/ILoader_howto#Uncapping here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 17e3b645d3fef4c300e6518e709b776723c12450 2988 2973 2010-08-05T15:03:37Z Cmwslw 1 wikitext text/x-wiki This status is based on the progress the Linux4nano team has made. == Basic drivers or steps: == In semi-chronological order: {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} == Custom firmware == {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Bootloader | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Rockbox | <span style="color:green">'''Mostly working''', see [http://www.rockbox.org/wiki/IPodNano2GPort here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Linux | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Uncap | <span style="color:green">'''Yes''', see [http://l4n.clustur.com/index.php/ILoader_howto#Uncapping here]</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- 3805a2adde1d40f5f611fbe335696182c098403a 0 193 2975 2675 2010-08-04T10:45:06Z 213.5.64.20 0 /* Terminology */ wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). Ayf9ay Eqpeeaq utkc fzcpt mwjnrjnz dgqitq qncwkmqve kxjslmqrn fsvs jjtn. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; de0fd154c7105f2ae8e8f92b12e63cf1be40868b 2977 2975 2010-08-04T12:45:29Z 217.81.238.231 0 Undo revision 2975 by [[Special:Contributions/213.5.64.20|213.5.64.20]] ([[User talk:213.5.64.20|Talk]]) wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 5ba37dcbcb54683cbfca2ab26cf21c886911dfd1 0 256 2979 2010-08-04T22:41:49Z Cmwslw 1 Created page with 'The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the ...' wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *ARM assembly - this is probably the hardest topic for beginners to grasp. ==Vulnerabilities== ==Writing guides== ==Testing== b256fb8612b2f3c0aec45db647af61a74962652f 2980 2979 2010-08-05T00:27:13Z Cmwslw 1 wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 5G]] since we have no means of execution on that device. If you do find such a bug, report it via private message on IRC to a main developer. DO NOT, I repeat, DO NOT, exclaim the bug to the world on a public IRC channel or mailing list. We made this mistake with the [[Notes vulnerability]]. As a result, Apple patched it on the [[Nano 4G]] and even patched the original firmware on the [[Nano 5G]] (thus making it impossible to downgrade to a vulnerable firmware). ==Writing guides== ==Testing== 50dad41026f3d5d73e1b7549d02642a9ad70164d 2981 2980 2010-08-05T00:35:42Z Cmwslw 1 wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 5G]] since we have no means of execution on that device. If you do find such a bug, report it via private message on IRC to a main developer. DO NOT, I repeat, DO NOT, exclaim the bug to the world on a public IRC channel or mailing list. We made this mistake with the [[Notes vulnerability]]. As a result, Apple patched it on the [[Nano 4G]] and even patched the original firmware on the [[Nano 5G]] (thus making it impossible to downgrade to a vulnerable firmware). ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. Besides we already have a lot of willing testers already. 4ebf7a083af41a256aa8421ca4bcb522187da06d 2982 2981 2010-08-05T00:36:15Z Cmwslw 1 /* Testing */ wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 5G]] since we have no means of execution on that device. If you do find such a bug, report it via private message on IRC to a main developer. DO NOT, I repeat, DO NOT, exclaim the bug to the world on a public IRC channel or mailing list. We made this mistake with the [[Notes vulnerability]]. As a result, Apple patched it on the [[Nano 4G]] and even patched the original firmware on the [[Nano 5G]] (thus making it impossible to downgrade to a vulnerable firmware). ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. Besides we already have a lot of [[Willing testers]] already. 4b06fbd768d153d97da76a26744df3fdde764c4f 8 257 2983 2010-08-05T14:15:33Z TheSeven 13 Add some missing table CSS css text/css /* Pad Google AdSense box in portlet in sidebar */ #p-googleadsense .pBody { padding-top: 5px; text-align: center; } .wikitable { margin: 1em 1em 1em 0; background: #f9f9f9; border: 1px #aaa solid; border-collapse: collapse; } table.wikitable.zebra tr:nth-child(even) { background: white; } .nogrid th, .nogrid td { border: none; } div.float-left, table.float-left, .float-left { float: left; clear: left; } div.float-right, table.float-right, .float-right { float: right; clear: right; margin: 1em 0 1em 1em; } div.centered, table.centered, .centered { margin-left: auto; margin-right: auto; } .toptextcells td { vertical-align: top; } 8f11ff45a68f7b347eacd025e80367db929e37a7 2985 2983 2010-08-05T14:34:08Z TheSeven 13 Copy it from wikipedia this time css text/css .mw-plusminus-pos { color:#006400; } .mw-plusminus-neg { color:#8B0000; } .mw-plusminus-null { color:#AAAAAA; } span.comment { font-style:italic; } span.changedby { font-size:95%; } .texvc { direction:ltr; unicode-bidi:embed; } img.tex { vertical-align:middle; } span.texhtml { font-family:serif; } #wikiPreview.ontop { margin-bottom:1em; } #editform, #toolbar, #wpTextbox1 { clear:both; } div#mw-js-message { background-color:#FCFCFC; border:1px solid #DDDDDD; margin:1em 5%; padding:0.5em 2.5%; } .editsection { float:right; margin-left:5px; } h2#filehistory { clear:both; } table.filehistory th, table.filehistory td { vertical-align:top; } table.filehistory th { text-align:left; } table.filehistory td.mw-imagepage-filesize, table.filehistory th.mw-imagepage-filesize { white-space:nowrap; } table.filehistory td.filehistory-selected { font-weight:bold; } li span.deleted, span.history-deleted { color:#888888; font-style:italic; text-decoration:line-through; } .not-patrolled { background-color:#FFFFAA; } .unpatrolled { color:red; font-weight:bold; } div.patrollink { font-size:75%; text-align:right; } body.ltr td.mw-label { text-align:right; } body.ltr td.mw-input { text-align:left; } body.ltr td.mw-submit { text-align:left; } body.rtl td.mw-label { text-align:left; } body.rtl td.mw-input { text-align:right; } body.rtl td.mw-submit { text-align:right; } td.mw-label { vertical-align:top; } .prefsection td.mw-label { width:20%; } .prefsection table { width:100%; } td.mw-submit { white-space:nowrap; } table.mw-htmlform-nolabel td.mw-label { width:0 !important; } tr.mw-htmlform-vertical-label td.mw-label { text-align:left !important; } input#wpSummary { width:80%; } body.rtl .thumbcaption { text-align:right; } body.rtl .magnify { float:left; } body.ltr .thumbcaption { text-align:left; } body.ltr .magnify { float:right; } .mw-hidden-cats-hidden { display:none; } .catlinks-allhidden { display:none; } p.mw-ipb-conveniencelinks, p.mw-protect-editreasons, p.mw-filedelete-editreasons, p.mw-delete-editreasons, p.mw-revdel-editreasons { float:right; font-size:90%; } .searchresults { } .searchresults p { margin-bottom:1.2em; margin-left:0.4em; margin-top:1em; } div.searchresult { font-size:95%; width:38em; } .mw-search-results { margin-left:0.4em; } .mw-search-results li { list-style:none outside none; padding-bottom:1em; } .mw-search-results li a { font-size:108%; } .mw-search-result-data { color:green; font-size:97%; } .mw-search-formheader { background-color:#F3F3F3; border:1px solid silver; margin-top:1em; } .mw-search-formheader div.search-types { float:left; padding-left:0.25em; } .rtl .mw-search-formheader div.search-types { float:right; } .mw-search-formheader div.search-types ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.search-types ul li { float:left; margin:0; padding:0; } .mw-search-formheader div.search-types ul li a { display:block; padding:0.5em; } .mw-search-formheader div.search-types ul li.current a { color:#333333; cursor:default; } .mw-search-formheader div.search-types ul li.current a:hover { text-decoration:none; } .mw-search-formheader div.results-info { float:right; padding:0.5em 0.75em 0.5em 0.5em; } .mw-search-formheader div.results-info ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.results-info ul li { float:right; margin:0; padding:0; } fieldset#mw-searchoptions { background-color:#F9F9F9; border-color:silver !important; border-right:1px solid silver !important; border-style:solid !important; border-width:0 1px 1px !important; margin:0; padding:0.5em 0.75em !important; } fieldset#mw-searchoptions legend { display:none; } fieldset#mw-searchoptions h4 { float:left; margin:0; padding:0; } .rtl fieldset#mw-searchoptions h4 { float:right; } fieldset#mw-searchoptions div#mw-search-togglebox { float:right; } .rtl fieldset#mw-searchoptions div#mw-search-togglebox { float:left; } fieldset#mw-searchoptions div#mw-search-togglebox label { margin-right:0.25em; } fieldset#mw-searchoptions div#mw-search-togglebox input { margin-left:0.25em; } fieldset#mw-searchoptions table { float:left; margin-right:3em; } fieldset#mw-searchoptions table td { padding-right:1em; } .rtl fieldset#mw-searchoptions table td { padding-left:1em; padding-right:0; } body.rtl fieldset#mw-searchoptions table { float:right; margin-left:3em; margin-right:0; } fieldset#mw-searchoptions div.divider { border-bottom:1px solid #DDDDDD; clear:both; margin-bottom:0.5em; padding-top:0.5em; } td#mw-search-menu { font-size:85%; padding-left:6em; } div#mw-search-interwiki { border:1px solid #AAAAAA; float:right; margin-top:2ex; width:18em; } .rtl div#mw-search-interwiki { float:left; } div#mw-search-interwiki li { font-size:95%; } .mw-search-interwiki-more { float:right; font-size:90%; } .rtl .mw-search-interwiki-more { float:left; } div#mw-search-interwiki-caption { font-size:95%; font-weight:bold; text-align:center; } .mw-search-interwiki-project { background-color:#ECECEC; border-top:1px solid #BBBBBB; font-size:97%; padding:0.15em 0.15em 0.2em 0.2em; text-align:left; } .rtl .mw-search-interwiki-project { text-align:right; } span.searchalttitle { font-size:95%; } div.searchdidyoumean { color:#CC0000; font-size:127%; margin-top:0.8em; } div.searchdidyoumean em { font-weight:bold; } .searchmatch { font-weight:bold; } table#mw-search-top-table { background-color:transparent; } td#mw-search-togglebox { text-align:right; } table#mw-search-powertable { width:100%; } form#powersearch { clear:both; } .mw-userrights-disabled { color:#888888; } table.mw-userrights-groups * td, table.mw-userrights-groups * th { padding-right:1.5em; } .os-suggest { background-color:window; border:1px solid #AAAAAA; font-size:95%; left:0; overflow-x:hidden; overflow-y:auto; position:absolute; top:0; width:0; z-index:99; } table.os-suggest-results { border:0 none; border-collapse:collapse; cursor:pointer; font-size:95%; width:100%; } .os-suggest-result, .os-suggest-result-hl { background-color:window; color:windowtext; padding:2px; white-space:nowrap; } .os-suggest-result-hl, .os-suggest-result-hl-webkit { background-color:#4C59A6; color:white; } .os-suggest-result-hl { background-color:highlight; color:highlighttext; } .os-suggest-toggle { font-size:65%; left:1ex; position:relative; } .os-suggest-toggle-def { font-size:65%; left:0; position:absolute; top:0; visibility:hidden; } .autocomment { color:gray; } #pagehistory .history-user { margin-left:0.4em; margin-right:0.2em; } #pagehistory span.minor { font-weight:bold; } #pagehistory li { border:1px solid white; } #pagehistory li.selected { background-color:#F9F9F9; border:1px dashed #AAAAAA; } .newpage, .minor, .bot { font-weight:bold; } .mw-uctop { font-weight:bold; } table.mw-listgrouprights-table tr { vertical-align:top; } .listgrouprights-revoked { text-decoration:line-through; } td.mw-statistics-numbers { text-align:right; } h4.mw-specialpagesgroup { background-color:#DCDCDC; margin:0.3em 0 0; padding:2px; } .mw-specialpagerestricted { font-weight:bold; } #shared-image-dup, #shared-image-conflict { font-style:italic; } table.mw-emailuser-table { width:98%; } td#mw-emailuser-sender, td#mw-emailuser-recipient { font-weight:bold; } table.allpageslist { background-color:transparent; } table.mw-allpages-table-form, table.mw-allpages-table-chunk { background-color:transparent; width:100%; } td.mw-allpages-alphaindexline { text-align:right; } td.mw-allpages-nav, p.mw-allpages-nav { font-size:smaller; margin-bottom:1em; text-align:right; } table.mw-allpages-table-form tr { vertical-align:top; } table#mw-prefixindex-list-table, table#mw-prefixindex-nav-table { background-color:transparent; width:98%; } td#mw-prefixindex-nav-form { font-size:smaller; margin-bottom:1em; text-align:right; vertical-align:top; } div.mw-warning-with-logexcerpt { border:2px solid #2F6FAB; clear:both; margin-bottom:3px; padding:3px; } div.mw-warning-with-logexcerpt ul li { font-size:90%; } span.mw-revdelundel-link, strong.mw-revdelundel-link { font-size:90%; } span.mw-revdelundel-hidden, input.mw-revdelundel-hidden { visibility:hidden; } td.mw-revdel-checkbox, th.mw-revdel-checkbox { padding-right:10px; text-align:center; } a.feedlink { background:url("images/feed-icon.png") no-repeat scroll left center transparent; padding-left:16px; } .plainlinks a { background:none repeat scroll 0 0 transparent !important; padding:0 !important; } table.wikitable { background:none repeat scroll 0 0 #F9F9F9; border:1px solid #AAAAAA; border-collapse:collapse; margin:1em 1em 1em 0; } .wikitable th, .wikitable td { border:1px solid #AAAAAA; padding:0.2em; } .wikitable th { background:none repeat scroll 0 0 #F2F2F2; text-align:center; } .wikitable caption { font-weight:bold; } table.collapsed tr.collapsable { display:none; } .success { color:green; font-size:larger; } .error { color:red; font-size:larger; } .errorbox, .successbox { border:2px solid; color:#000000; float:left; font-size:larger; margin-bottom:2em; padding:0.5em 1em; } .errorbox { background-color:#FFF2F2; border-color:red; } .successbox { background-color:#DDFFDD; border-color:green; } .errorbox h2, .successbox h2 { border:medium none; display:inline; font-size:1em; font-weight:bold; margin:0 0.5em 0 0; } .previewnote { color:#CC0000; margin-bottom:1em; } .previewnote p { margin:0.8em 0; text-indent:3em; } .visualClear { clear:both; } #mw_trackbacks { background-color:#EEEEFF; border:1px solid #BBBBFF; padding:0.2em; } .TablePager { min-width:80%; } .TablePager_nav a { text-decoration:none; } .TablePager { border-collapse:collapse; } .TablePager, .TablePager td, .TablePager th { border:1px solid #AAAAAA; padding:0 0.15em; } .TablePager th { background-color:#EEEEFF; } .TablePager td { background-color:#FFFFFF; } .TablePager tr:hover td { background-color:#EEEEFF; } .imagelist td, .imagelist th { white-space:nowrap; } .imagelist .TablePager_col_links { background-color:#EEEEFF; } .imagelist .TablePager_col_img_description { white-space:normal; } .imagelist th.TablePager_sort { background-color:#CCCCFF; } #mw-allmessagestable .allmessages-customised td.am_default { background-color:#FCFFC4; } #mw-allmessagestable tr.allmessages-customised:hover td.am_default { background-color:#FAFF90; } #mw-allmessagestable td.am_actual { background-color:#E2FFE2; } #mw-allmessagestable tr.allmessages-customised:hover + tr.allmessages-customised td.am_actual { background-color:#B1FFB1; } ul#filetoc { background-color:#F9F9F9; border:1px solid #AAAAAA; font-size:95%; margin-bottom:0.5em; margin-left:0; margin-right:0; padding:5px; text-align:center; } #filetoc li { display:inline; list-style-type:none; padding-right:2em; } table.mw_metadata { font-size:0.8em; margin-bottom:0.5em; margin-left:0.5em; width:300px; } table.mw_metadata caption { font-weight:bold; } table.mw_metadata th { font-weight:normal; } table.mw_metadata td { padding:0.1em; } table.mw_metadata { border:medium none; border-collapse:collapse; } table.mw_metadata td, table.mw_metadata th { border:1px solid #AAAAAA; padding-left:0.1em; padding-right:0.1em; text-align:center; } table.mw_metadata th { background-color:#F9F9F9; } table.mw_metadata td { background-color:#FCFCFC; } table.gallery { background-color:white; border:1px solid #CCCCCC; margin:2px; padding:2px; } table.gallery tr { vertical-align:top; } table.gallery td { background-color:#F9F9F9; border:2px solid white; vertical-align:top; } table.gallery caption { font-weight:bold; } div.gallerybox { margin:2px; } div.gallerybox div.thumb { border:1px solid #CCCCCC; margin:2px; text-align:center; } div.gallerytext { font-size:94%; overflow:hidden; padding:2px 4px; } table.mw-enhanced-rc { background:none repeat scroll 0 0 transparent; border:0 none; border-spacing:0; } td.mw-enhanced-rc { font-family:monospace; padding:0; vertical-align:top; white-space:nowrap; } #mw-addcategory-prompt { display:inline; margin-left:1em; } #mw-addcategory-prompt input { margin-left:0.5em; margin-right:0.5em; } .mw-remove-category { background-image:url("images/remove.png"); background-position:center center; background-repeat:no-repeat; padding:8px; } .mw-ajax-addcategory { background-image:url("images/add.png"); background-position:left center; background-repeat:no-repeat; padding-left:20px; } .mw-ajax-loader { background-image:url("images/ajax-loader.gif"); background-position:center center; background-repeat:no-repeat; padding:16px; position:relative; top:-16px; } .mw-small-spinner { background-image:url("images/spinner.gif"); background-position:center center; background-repeat:no-repeat; margin-right:0.6em; padding:10px !important; } a.sortheader { margin:0 0.3em; } 5d91ca804d52f1a509541c5aa5922f41dcccadf6 2986 2985 2010-08-05T14:50:04Z TheSeven 13 Add a pretty table cell padding class css text/css .mw-plusminus-pos { color:#006400; } .mw-plusminus-neg { color:#8B0000; } .mw-plusminus-null { color:#AAAAAA; } span.comment { font-style:italic; } span.changedby { font-size:95%; } .texvc { direction:ltr; unicode-bidi:embed; } img.tex { vertical-align:middle; } span.texhtml { font-family:serif; } #wikiPreview.ontop { margin-bottom:1em; } #editform, #toolbar, #wpTextbox1 { clear:both; } div#mw-js-message { background-color:#FCFCFC; border:1px solid #DDDDDD; margin:1em 5%; padding:0.5em 2.5%; } .editsection { float:right; margin-left:5px; } h2#filehistory { clear:both; } table.filehistory th, table.filehistory td { vertical-align:top; } table.filehistory th { text-align:left; } table.filehistory td.mw-imagepage-filesize, table.filehistory th.mw-imagepage-filesize { white-space:nowrap; } table.filehistory td.filehistory-selected { font-weight:bold; } li span.deleted, span.history-deleted { color:#888888; font-style:italic; text-decoration:line-through; } .not-patrolled { background-color:#FFFFAA; } .unpatrolled { color:red; font-weight:bold; } div.patrollink { font-size:75%; text-align:right; } body.ltr td.mw-label { text-align:right; } body.ltr td.mw-input { text-align:left; } body.ltr td.mw-submit { text-align:left; } body.rtl td.mw-label { text-align:left; } body.rtl td.mw-input { text-align:right; } body.rtl td.mw-submit { text-align:right; } td.mw-label { vertical-align:top; } .prefsection td.mw-label { width:20%; } .prefsection table { width:100%; } td.mw-submit { white-space:nowrap; } table.mw-htmlform-nolabel td.mw-label { width:0 !important; } tr.mw-htmlform-vertical-label td.mw-label { text-align:left !important; } input#wpSummary { width:80%; } body.rtl .thumbcaption { text-align:right; } body.rtl .magnify { float:left; } body.ltr .thumbcaption { text-align:left; } body.ltr .magnify { float:right; } .mw-hidden-cats-hidden { display:none; } .catlinks-allhidden { display:none; } p.mw-ipb-conveniencelinks, p.mw-protect-editreasons, p.mw-filedelete-editreasons, p.mw-delete-editreasons, p.mw-revdel-editreasons { float:right; font-size:90%; } .searchresults { } .searchresults p { margin-bottom:1.2em; margin-left:0.4em; margin-top:1em; } div.searchresult { font-size:95%; width:38em; } .mw-search-results { margin-left:0.4em; } .mw-search-results li { list-style:none outside none; padding-bottom:1em; } .mw-search-results li a { font-size:108%; } .mw-search-result-data { color:green; font-size:97%; } .mw-search-formheader { background-color:#F3F3F3; border:1px solid silver; margin-top:1em; } .mw-search-formheader div.search-types { float:left; padding-left:0.25em; } .rtl .mw-search-formheader div.search-types { float:right; } .mw-search-formheader div.search-types ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.search-types ul li { float:left; margin:0; padding:0; } .mw-search-formheader div.search-types ul li a { display:block; padding:0.5em; } .mw-search-formheader div.search-types ul li.current a { color:#333333; cursor:default; } .mw-search-formheader div.search-types ul li.current a:hover { text-decoration:none; } .mw-search-formheader div.results-info { float:right; padding:0.5em 0.75em 0.5em 0.5em; } .mw-search-formheader div.results-info ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.results-info ul li { float:right; margin:0; padding:0; } fieldset#mw-searchoptions { background-color:#F9F9F9; border-color:silver !important; border-right:1px solid silver !important; border-style:solid !important; border-width:0 1px 1px !important; margin:0; padding:0.5em 0.75em !important; } fieldset#mw-searchoptions legend { display:none; } fieldset#mw-searchoptions h4 { float:left; margin:0; padding:0; } .rtl fieldset#mw-searchoptions h4 { float:right; } fieldset#mw-searchoptions div#mw-search-togglebox { float:right; } .rtl fieldset#mw-searchoptions div#mw-search-togglebox { float:left; } fieldset#mw-searchoptions div#mw-search-togglebox label { margin-right:0.25em; } fieldset#mw-searchoptions div#mw-search-togglebox input { margin-left:0.25em; } fieldset#mw-searchoptions table { float:left; margin-right:3em; } fieldset#mw-searchoptions table td { padding-right:1em; } .rtl fieldset#mw-searchoptions table td { padding-left:1em; padding-right:0; } body.rtl fieldset#mw-searchoptions table { float:right; margin-left:3em; margin-right:0; } fieldset#mw-searchoptions div.divider { border-bottom:1px solid #DDDDDD; clear:both; margin-bottom:0.5em; padding-top:0.5em; } td#mw-search-menu { font-size:85%; padding-left:6em; } div#mw-search-interwiki { border:1px solid #AAAAAA; float:right; margin-top:2ex; width:18em; } .rtl div#mw-search-interwiki { float:left; } div#mw-search-interwiki li { font-size:95%; } .mw-search-interwiki-more { float:right; font-size:90%; } .rtl .mw-search-interwiki-more { float:left; } div#mw-search-interwiki-caption { font-size:95%; font-weight:bold; text-align:center; } .mw-search-interwiki-project { background-color:#ECECEC; border-top:1px solid #BBBBBB; font-size:97%; padding:0.15em 0.15em 0.2em 0.2em; text-align:left; } .rtl .mw-search-interwiki-project { text-align:right; } span.searchalttitle { font-size:95%; } div.searchdidyoumean { color:#CC0000; font-size:127%; margin-top:0.8em; } div.searchdidyoumean em { font-weight:bold; } .searchmatch { font-weight:bold; } table#mw-search-top-table { background-color:transparent; } td#mw-search-togglebox { text-align:right; } table#mw-search-powertable { width:100%; } form#powersearch { clear:both; } .mw-userrights-disabled { color:#888888; } table.mw-userrights-groups * td, table.mw-userrights-groups * th { padding-right:1.5em; } .os-suggest { background-color:window; border:1px solid #AAAAAA; font-size:95%; left:0; overflow-x:hidden; overflow-y:auto; position:absolute; top:0; width:0; z-index:99; } table.os-suggest-results { border:0 none; border-collapse:collapse; cursor:pointer; font-size:95%; width:100%; } .os-suggest-result, .os-suggest-result-hl { background-color:window; color:windowtext; padding:2px; white-space:nowrap; } .os-suggest-result-hl, .os-suggest-result-hl-webkit { background-color:#4C59A6; color:white; } .os-suggest-result-hl { background-color:highlight; color:highlighttext; } .os-suggest-toggle { font-size:65%; left:1ex; position:relative; } .os-suggest-toggle-def { font-size:65%; left:0; position:absolute; top:0; visibility:hidden; } .autocomment { color:gray; } #pagehistory .history-user { margin-left:0.4em; margin-right:0.2em; } #pagehistory span.minor { font-weight:bold; } #pagehistory li { border:1px solid white; } #pagehistory li.selected { background-color:#F9F9F9; border:1px dashed #AAAAAA; } .newpage, .minor, .bot { font-weight:bold; } .mw-uctop { font-weight:bold; } table.mw-listgrouprights-table tr { vertical-align:top; } .listgrouprights-revoked { text-decoration:line-through; } td.mw-statistics-numbers { text-align:right; } h4.mw-specialpagesgroup { background-color:#DCDCDC; margin:0.3em 0 0; padding:2px; } .mw-specialpagerestricted { font-weight:bold; } #shared-image-dup, #shared-image-conflict { font-style:italic; } table.mw-emailuser-table { width:98%; } td#mw-emailuser-sender, td#mw-emailuser-recipient { font-weight:bold; } table.allpageslist { background-color:transparent; } table.mw-allpages-table-form, table.mw-allpages-table-chunk { background-color:transparent; width:100%; } td.mw-allpages-alphaindexline { text-align:right; } td.mw-allpages-nav, p.mw-allpages-nav { font-size:smaller; margin-bottom:1em; text-align:right; } table.mw-allpages-table-form tr { vertical-align:top; } table#mw-prefixindex-list-table, table#mw-prefixindex-nav-table { background-color:transparent; width:98%; } td#mw-prefixindex-nav-form { font-size:smaller; margin-bottom:1em; text-align:right; vertical-align:top; } div.mw-warning-with-logexcerpt { border:2px solid #2F6FAB; clear:both; margin-bottom:3px; padding:3px; } div.mw-warning-with-logexcerpt ul li { font-size:90%; } span.mw-revdelundel-link, strong.mw-revdelundel-link { font-size:90%; } span.mw-revdelundel-hidden, input.mw-revdelundel-hidden { visibility:hidden; } td.mw-revdel-checkbox, th.mw-revdel-checkbox { padding-right:10px; text-align:center; } a.feedlink { background:url("images/feed-icon.png") no-repeat scroll left center transparent; padding-left:16px; } .plainlinks a { background:none repeat scroll 0 0 transparent !important; padding:0 !important; } table.wikitable { background:none repeat scroll 0 0 #F9F9F9; border:1px solid #AAAAAA; border-collapse:collapse; margin:1em 1em 1em 0; } .wikitable th, .wikitable td { border:1px solid #AAAAAA; padding:0.2em; } .wikitable th { background:none repeat scroll 0 0 #F2F2F2; text-align:center; } .wikitable caption { font-weight:bold; } table.collapsed tr.collapsable { display:none; } .success { color:green; font-size:larger; } .error { color:red; font-size:larger; } .errorbox, .successbox { border:2px solid; color:#000000; float:left; font-size:larger; margin-bottom:2em; padding:0.5em 1em; } .errorbox { background-color:#FFF2F2; border-color:red; } .successbox { background-color:#DDFFDD; border-color:green; } .errorbox h2, .successbox h2 { border:medium none; display:inline; font-size:1em; font-weight:bold; margin:0 0.5em 0 0; } .previewnote { color:#CC0000; margin-bottom:1em; } .previewnote p { margin:0.8em 0; text-indent:3em; } .visualClear { clear:both; } #mw_trackbacks { background-color:#EEEEFF; border:1px solid #BBBBFF; padding:0.2em; } .TablePager { min-width:80%; } .TablePager_nav a { text-decoration:none; } .TablePager { border-collapse:collapse; } .TablePager, .TablePager td, .TablePager th { border:1px solid #AAAAAA; padding:0 0.15em; } .TablePager th { background-color:#EEEEFF; } .TablePager td { background-color:#FFFFFF; } .TablePager tr:hover td { background-color:#EEEEFF; } .imagelist td, .imagelist th { white-space:nowrap; } .imagelist .TablePager_col_links { background-color:#EEEEFF; } .imagelist .TablePager_col_img_description { white-space:normal; } .imagelist th.TablePager_sort { background-color:#CCCCFF; } #mw-allmessagestable .allmessages-customised td.am_default { background-color:#FCFFC4; } #mw-allmessagestable tr.allmessages-customised:hover td.am_default { background-color:#FAFF90; } #mw-allmessagestable td.am_actual { background-color:#E2FFE2; } #mw-allmessagestable tr.allmessages-customised:hover + tr.allmessages-customised td.am_actual { background-color:#B1FFB1; } ul#filetoc { background-color:#F9F9F9; border:1px solid #AAAAAA; font-size:95%; margin-bottom:0.5em; margin-left:0; margin-right:0; padding:5px; text-align:center; } #filetoc li { display:inline; list-style-type:none; padding-right:2em; } table.mw_metadata { font-size:0.8em; margin-bottom:0.5em; margin-left:0.5em; width:300px; } table.mw_metadata caption { font-weight:bold; } table.mw_metadata th { font-weight:normal; } table.mw_metadata td { padding:0.1em; } table.mw_metadata { border:medium none; border-collapse:collapse; } table.mw_metadata td, table.mw_metadata th { border:1px solid #AAAAAA; padding-left:0.1em; padding-right:0.1em; text-align:center; } table.mw_metadata th { background-color:#F9F9F9; } table.mw_metadata td { background-color:#FCFCFC; } table.gallery { background-color:white; border:1px solid #CCCCCC; margin:2px; padding:2px; } table.gallery tr { vertical-align:top; } table.gallery td { background-color:#F9F9F9; border:2px solid white; vertical-align:top; } table.gallery caption { font-weight:bold; } div.gallerybox { margin:2px; } div.gallerybox div.thumb { border:1px solid #CCCCCC; margin:2px; text-align:center; } div.gallerytext { font-size:94%; overflow:hidden; padding:2px 4px; } table.mw-enhanced-rc { background:none repeat scroll 0 0 transparent; border:0 none; border-spacing:0; } td.mw-enhanced-rc { font-family:monospace; padding:0; vertical-align:top; white-space:nowrap; } #mw-addcategory-prompt { display:inline; margin-left:1em; } #mw-addcategory-prompt input { margin-left:0.5em; margin-right:0.5em; } .mw-remove-category { background-image:url("images/remove.png"); background-position:center center; background-repeat:no-repeat; padding:8px; } .mw-ajax-addcategory { background-image:url("images/add.png"); background-position:left center; background-repeat:no-repeat; padding-left:20px; } .mw-ajax-loader { background-image:url("images/ajax-loader.gif"); background-position:center center; background-repeat:no-repeat; padding:16px; position:relative; top:-16px; } .mw-small-spinner { background-image:url("images/spinner.gif"); background-position:center center; background-repeat:no-repeat; margin-right:0.6em; padding:10px !important; } a.sortheader { margin:0 0.3em; } table.prettytable td, table.prettytable th { padding-top: 1px; padding-left: 4px; padding-right: 4px; padding-body: 1px; } 72c4b9ce62c61a0bb4ec0d85eb0ee2966ddf446e 2987 2986 2010-08-05T14:51:32Z TheSeven 13 We want even more padding css text/css .mw-plusminus-pos { color:#006400; } .mw-plusminus-neg { color:#8B0000; } .mw-plusminus-null { color:#AAAAAA; } span.comment { font-style:italic; } span.changedby { font-size:95%; } .texvc { direction:ltr; unicode-bidi:embed; } img.tex { vertical-align:middle; } span.texhtml { font-family:serif; } #wikiPreview.ontop { margin-bottom:1em; } #editform, #toolbar, #wpTextbox1 { clear:both; } div#mw-js-message { background-color:#FCFCFC; border:1px solid #DDDDDD; margin:1em 5%; padding:0.5em 2.5%; } .editsection { float:right; margin-left:5px; } h2#filehistory { clear:both; } table.filehistory th, table.filehistory td { vertical-align:top; } table.filehistory th { text-align:left; } table.filehistory td.mw-imagepage-filesize, table.filehistory th.mw-imagepage-filesize { white-space:nowrap; } table.filehistory td.filehistory-selected { font-weight:bold; } li span.deleted, span.history-deleted { color:#888888; font-style:italic; text-decoration:line-through; } .not-patrolled { background-color:#FFFFAA; } .unpatrolled { color:red; font-weight:bold; } div.patrollink { font-size:75%; text-align:right; } body.ltr td.mw-label { text-align:right; } body.ltr td.mw-input { text-align:left; } body.ltr td.mw-submit { text-align:left; } body.rtl td.mw-label { text-align:left; } body.rtl td.mw-input { text-align:right; } body.rtl td.mw-submit { text-align:right; } td.mw-label { vertical-align:top; } .prefsection td.mw-label { width:20%; } .prefsection table { width:100%; } td.mw-submit { white-space:nowrap; } table.mw-htmlform-nolabel td.mw-label { width:0 !important; } tr.mw-htmlform-vertical-label td.mw-label { text-align:left !important; } input#wpSummary { width:80%; } body.rtl .thumbcaption { text-align:right; } body.rtl .magnify { float:left; } body.ltr .thumbcaption { text-align:left; } body.ltr .magnify { float:right; } .mw-hidden-cats-hidden { display:none; } .catlinks-allhidden { display:none; } p.mw-ipb-conveniencelinks, p.mw-protect-editreasons, p.mw-filedelete-editreasons, p.mw-delete-editreasons, p.mw-revdel-editreasons { float:right; font-size:90%; } .searchresults { } .searchresults p { margin-bottom:1.2em; margin-left:0.4em; margin-top:1em; } div.searchresult { font-size:95%; width:38em; } .mw-search-results { margin-left:0.4em; } .mw-search-results li { list-style:none outside none; padding-bottom:1em; } .mw-search-results li a { font-size:108%; } .mw-search-result-data { color:green; font-size:97%; } .mw-search-formheader { background-color:#F3F3F3; border:1px solid silver; margin-top:1em; } .mw-search-formheader div.search-types { float:left; padding-left:0.25em; } .rtl .mw-search-formheader div.search-types { float:right; } .mw-search-formheader div.search-types ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.search-types ul li { float:left; margin:0; padding:0; } .mw-search-formheader div.search-types ul li a { display:block; padding:0.5em; } .mw-search-formheader div.search-types ul li.current a { color:#333333; cursor:default; } .mw-search-formheader div.search-types ul li.current a:hover { text-decoration:none; } .mw-search-formheader div.results-info { float:right; padding:0.5em 0.75em 0.5em 0.5em; } .mw-search-formheader div.results-info ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.results-info ul li { float:right; margin:0; padding:0; } fieldset#mw-searchoptions { background-color:#F9F9F9; border-color:silver !important; border-right:1px solid silver !important; border-style:solid !important; border-width:0 1px 1px !important; margin:0; padding:0.5em 0.75em !important; } fieldset#mw-searchoptions legend { display:none; } fieldset#mw-searchoptions h4 { float:left; margin:0; padding:0; } .rtl fieldset#mw-searchoptions h4 { float:right; } fieldset#mw-searchoptions div#mw-search-togglebox { float:right; } .rtl fieldset#mw-searchoptions div#mw-search-togglebox { float:left; } fieldset#mw-searchoptions div#mw-search-togglebox label { margin-right:0.25em; } fieldset#mw-searchoptions div#mw-search-togglebox input { margin-left:0.25em; } fieldset#mw-searchoptions table { float:left; margin-right:3em; } fieldset#mw-searchoptions table td { padding-right:1em; } .rtl fieldset#mw-searchoptions table td { padding-left:1em; padding-right:0; } body.rtl fieldset#mw-searchoptions table { float:right; margin-left:3em; margin-right:0; } fieldset#mw-searchoptions div.divider { border-bottom:1px solid #DDDDDD; clear:both; margin-bottom:0.5em; padding-top:0.5em; } td#mw-search-menu { font-size:85%; padding-left:6em; } div#mw-search-interwiki { border:1px solid #AAAAAA; float:right; margin-top:2ex; width:18em; } .rtl div#mw-search-interwiki { float:left; } div#mw-search-interwiki li { font-size:95%; } .mw-search-interwiki-more { float:right; font-size:90%; } .rtl .mw-search-interwiki-more { float:left; } div#mw-search-interwiki-caption { font-size:95%; font-weight:bold; text-align:center; } .mw-search-interwiki-project { background-color:#ECECEC; border-top:1px solid #BBBBBB; font-size:97%; padding:0.15em 0.15em 0.2em 0.2em; text-align:left; } .rtl .mw-search-interwiki-project { text-align:right; } span.searchalttitle { font-size:95%; } div.searchdidyoumean { color:#CC0000; font-size:127%; margin-top:0.8em; } div.searchdidyoumean em { font-weight:bold; } .searchmatch { font-weight:bold; } table#mw-search-top-table { background-color:transparent; } td#mw-search-togglebox { text-align:right; } table#mw-search-powertable { width:100%; } form#powersearch { clear:both; } .mw-userrights-disabled { color:#888888; } table.mw-userrights-groups * td, table.mw-userrights-groups * th { padding-right:1.5em; } .os-suggest { background-color:window; border:1px solid #AAAAAA; font-size:95%; left:0; overflow-x:hidden; overflow-y:auto; position:absolute; top:0; width:0; z-index:99; } table.os-suggest-results { border:0 none; border-collapse:collapse; cursor:pointer; font-size:95%; width:100%; } .os-suggest-result, .os-suggest-result-hl { background-color:window; color:windowtext; padding:2px; white-space:nowrap; } .os-suggest-result-hl, .os-suggest-result-hl-webkit { background-color:#4C59A6; color:white; } .os-suggest-result-hl { background-color:highlight; color:highlighttext; } .os-suggest-toggle { font-size:65%; left:1ex; position:relative; } .os-suggest-toggle-def { font-size:65%; left:0; position:absolute; top:0; visibility:hidden; } .autocomment { color:gray; } #pagehistory .history-user { margin-left:0.4em; margin-right:0.2em; } #pagehistory span.minor { font-weight:bold; } #pagehistory li { border:1px solid white; } #pagehistory li.selected { background-color:#F9F9F9; border:1px dashed #AAAAAA; } .newpage, .minor, .bot { font-weight:bold; } .mw-uctop { font-weight:bold; } table.mw-listgrouprights-table tr { vertical-align:top; } .listgrouprights-revoked { text-decoration:line-through; } td.mw-statistics-numbers { text-align:right; } h4.mw-specialpagesgroup { background-color:#DCDCDC; margin:0.3em 0 0; padding:2px; } .mw-specialpagerestricted { font-weight:bold; } #shared-image-dup, #shared-image-conflict { font-style:italic; } table.mw-emailuser-table { width:98%; } td#mw-emailuser-sender, td#mw-emailuser-recipient { font-weight:bold; } table.allpageslist { background-color:transparent; } table.mw-allpages-table-form, table.mw-allpages-table-chunk { background-color:transparent; width:100%; } td.mw-allpages-alphaindexline { text-align:right; } td.mw-allpages-nav, p.mw-allpages-nav { font-size:smaller; margin-bottom:1em; text-align:right; } table.mw-allpages-table-form tr { vertical-align:top; } table#mw-prefixindex-list-table, table#mw-prefixindex-nav-table { background-color:transparent; width:98%; } td#mw-prefixindex-nav-form { font-size:smaller; margin-bottom:1em; text-align:right; vertical-align:top; } div.mw-warning-with-logexcerpt { border:2px solid #2F6FAB; clear:both; margin-bottom:3px; padding:3px; } div.mw-warning-with-logexcerpt ul li { font-size:90%; } span.mw-revdelundel-link, strong.mw-revdelundel-link { font-size:90%; } span.mw-revdelundel-hidden, input.mw-revdelundel-hidden { visibility:hidden; } td.mw-revdel-checkbox, th.mw-revdel-checkbox { padding-right:10px; text-align:center; } a.feedlink { background:url("images/feed-icon.png") no-repeat scroll left center transparent; padding-left:16px; } .plainlinks a { background:none repeat scroll 0 0 transparent !important; padding:0 !important; } table.wikitable { background:none repeat scroll 0 0 #F9F9F9; border:1px solid #AAAAAA; border-collapse:collapse; margin:1em 1em 1em 0; } .wikitable th, .wikitable td { border:1px solid #AAAAAA; padding:0.2em; } .wikitable th { background:none repeat scroll 0 0 #F2F2F2; text-align:center; } .wikitable caption { font-weight:bold; } table.collapsed tr.collapsable { display:none; } .success { color:green; font-size:larger; } .error { color:red; font-size:larger; } .errorbox, .successbox { border:2px solid; color:#000000; float:left; font-size:larger; margin-bottom:2em; padding:0.5em 1em; } .errorbox { background-color:#FFF2F2; border-color:red; } .successbox { background-color:#DDFFDD; border-color:green; } .errorbox h2, .successbox h2 { border:medium none; display:inline; font-size:1em; font-weight:bold; margin:0 0.5em 0 0; } .previewnote { color:#CC0000; margin-bottom:1em; } .previewnote p { margin:0.8em 0; text-indent:3em; } .visualClear { clear:both; } #mw_trackbacks { background-color:#EEEEFF; border:1px solid #BBBBFF; padding:0.2em; } .TablePager { min-width:80%; } .TablePager_nav a { text-decoration:none; } .TablePager { border-collapse:collapse; } .TablePager, .TablePager td, .TablePager th { border:1px solid #AAAAAA; padding:0 0.15em; } .TablePager th { background-color:#EEEEFF; } .TablePager td { background-color:#FFFFFF; } .TablePager tr:hover td { background-color:#EEEEFF; } .imagelist td, .imagelist th { white-space:nowrap; } .imagelist .TablePager_col_links { background-color:#EEEEFF; } .imagelist .TablePager_col_img_description { white-space:normal; } .imagelist th.TablePager_sort { background-color:#CCCCFF; } #mw-allmessagestable .allmessages-customised td.am_default { background-color:#FCFFC4; } #mw-allmessagestable tr.allmessages-customised:hover td.am_default { background-color:#FAFF90; } #mw-allmessagestable td.am_actual { background-color:#E2FFE2; } #mw-allmessagestable tr.allmessages-customised:hover + tr.allmessages-customised td.am_actual { background-color:#B1FFB1; } ul#filetoc { background-color:#F9F9F9; border:1px solid #AAAAAA; font-size:95%; margin-bottom:0.5em; margin-left:0; margin-right:0; padding:5px; text-align:center; } #filetoc li { display:inline; list-style-type:none; padding-right:2em; } table.mw_metadata { font-size:0.8em; margin-bottom:0.5em; margin-left:0.5em; width:300px; } table.mw_metadata caption { font-weight:bold; } table.mw_metadata th { font-weight:normal; } table.mw_metadata td { padding:0.1em; } table.mw_metadata { border:medium none; border-collapse:collapse; } table.mw_metadata td, table.mw_metadata th { border:1px solid #AAAAAA; padding-left:0.1em; padding-right:0.1em; text-align:center; } table.mw_metadata th { background-color:#F9F9F9; } table.mw_metadata td { background-color:#FCFCFC; } table.gallery { background-color:white; border:1px solid #CCCCCC; margin:2px; padding:2px; } table.gallery tr { vertical-align:top; } table.gallery td { background-color:#F9F9F9; border:2px solid white; vertical-align:top; } table.gallery caption { font-weight:bold; } div.gallerybox { margin:2px; } div.gallerybox div.thumb { border:1px solid #CCCCCC; margin:2px; text-align:center; } div.gallerytext { font-size:94%; overflow:hidden; padding:2px 4px; } table.mw-enhanced-rc { background:none repeat scroll 0 0 transparent; border:0 none; border-spacing:0; } td.mw-enhanced-rc { font-family:monospace; padding:0; vertical-align:top; white-space:nowrap; } #mw-addcategory-prompt { display:inline; margin-left:1em; } #mw-addcategory-prompt input { margin-left:0.5em; margin-right:0.5em; } .mw-remove-category { background-image:url("images/remove.png"); background-position:center center; background-repeat:no-repeat; padding:8px; } .mw-ajax-addcategory { background-image:url("images/add.png"); background-position:left center; background-repeat:no-repeat; padding-left:20px; } .mw-ajax-loader { background-image:url("images/ajax-loader.gif"); background-position:center center; background-repeat:no-repeat; padding:16px; position:relative; top:-16px; } .mw-small-spinner { background-image:url("images/spinner.gif"); background-position:center center; background-repeat:no-repeat; margin-right:0.6em; padding:10px !important; } a.sortheader { margin:0 0.3em; } table.prettytable td, table.prettytable th { padding-top: 3px; padding-left: 6px; padding-right: 6px; padding-body: 3px; } 7476c8e159978d6c540190271129e53a22dcd3bb 0 53 2991 2726 2010-08-05T15:07:16Z Cmwslw 1 /* From the internet */ wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| class="wikitable" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| class="wikitable" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware f3659e58ed9911a45474ab638dee412ba3d13448 0 191 2992 2756 2010-08-05T15:08:33Z Cmwslw 1 wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification. Beware: 1 = Masked, 0 = Running!) ===PWRCON=== {| class="wikitable" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| class="wikitable" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Clickwheel? |} 73298e0391563549bdc5ac50fd8e319ebb1dd971 0 122 2993 2720 2010-08-05T15:10:16Z Cmwslw 1 wikitext text/x-wiki '''NOTICE: This process is no longer needed.''' Anybody left trying this is wasting their time, but we are preserving it for reference. The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] 850f04c412a1ac98471d835fdcd17f247db42302 0 130 2994 2721 2010-08-05T15:11:10Z Cmwslw 1 /* Timings for resetting and rebooting iPods */ wikitext text/x-wiki '''NOTICE: This project is an old attempt at [[Address bruteforcing]].''' Nanotrons are no longer needed. Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like [[Sto]] used on the 2G. This would be more expensive but easier IMO. == Completed Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This Nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3G. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rest on one rubber ring each, come from a bicycle wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of [[cmwslw]]'s code. == Timings for resetting and rebooting iPods == {| class="wikitable" |- ! Action ! Nano 4G ! Classic 2G |- | Reset | 5 seconds | 5 seconds |- | Reboot to main menu (cable disconnected) | 17.5 seconds | 28 seconds |- | Reboot to main menu (cable connected) | 35 seconds | 28 seconds |- | Reboot to disk mode (cable disconnected) | 2-3 seconds | 4-5 seconds |- | Reboot to disk mode (cable connected) | 11 seconds | 4-5 seconds |- |} Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === '''This info is sort of outdated but possibly useful.''' Currently, the easiest way to test for a working iPod is to look for a line similar to: <pre> [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 </pre> in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior 9aaaa6cc9357908b13a8c5aef3c97bba7590b5ac 0 240 2996 2906 2010-08-05T15:11:50Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 4 | CPU | Portal Player PP5021C-TDF | PP5021C-TDF, L9A0633, U0530 Logo, WYH30113.1, TAIWAN | This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | 5 | SDRAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | SEC534 BG75, K4M56163PG, AQF061WX | A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | 10 | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A] | SST39WF400A, 90-4C-C1QE, 0528149A | This chip is documented very well. A similar chip is on the [[Nano 2G]]. |- | 1 | NAND Flash | Varies | | |- | 2 | Click wheel controller | CY8C21434 | CPMCYP, 6360A 02, K0R0512, 610881 | |- | 3 | ATA flash disk controller | SST5SLD019K | Logo, 55LD019K, 45-C-MWE, 0528071-A4 | |- | 6 | Audio codec | WM8975G | WM8975G, 56AGVF4 | |- | 7 | Step down regulator | LM34910 | JM54RE, 34910SD | |- | 8 | Power manager | PCF50607 | CF50607, 605940, Bug528, 23e/N1Y | |- | 9 | USB charging | LTC4066 | Logo, 5F, 4066, N7537 | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed Other: *http://www.ipodlinux.org/wiki/Generations 0760d3ed6421a86fc9c404917f5c838172eb7f8d 0 241 2997 2907 2010-08-05T15:12:06Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 1 | CPU | Samsung S5L8701 |337S32918701, N042DQS, 0636 ARM | System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 256kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | 2 | SDRAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] |SEC 637 GG75, K4M56163PG, AQH373P1 | [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the [[Nano 1G]]. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | 3 | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A] |SST39WF800A, 90-4C-C2QE, 0631287-A | stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | N/A | DSP | N/A | N/A | Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. |- | B1 | NAND Flash | Varies |TOSHIBA P11023, JAPAN 0636 KAE, TP0560, TH58NVG5D4CTG20 | |- | 6 | USB charging | LTC4066 |Linear Technology, 6H, 4066, B8966 | |- | 5 | Audio codec? | WM something? |APPLE, 338S0310, 68BTST8 | |- | 4 | Step down regulator | LM34910 |National Semiconductor, JM66RJ, L34910B | |- | B2 | Power manager (below) | Probably Dialog? |APPLE, 338S0261, P29T6 04, cPG0637Y, 01/N2 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf 99532844a0a8cb3f3037a6e3b75499fe7b4b54d5 0 89 2998 2691 2010-08-05T15:13:47Z Cmwslw 1 wikitext text/x-wiki [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]] == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package: [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through: *a pad of the chip die *a bonding wire *the top layer of the substrate *a via *the bottom layer *finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made: *desoldering of the IC *removing of the balls and filler glue *X-ray picture *microscope picture of the bottom layer *removing the bottom layer and most of the substrate (by careful manual grinding) *microscope picture of the top layer *superposition of these views, and path finding from the die to the ball == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G%2BHW%2Banalysis]] for further PCB analysis. f0846e8782bdf9996f518ad5e409b767a039083a 0 242 2999 2908 2010-08-05T15:14:17Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8702 | 337S3473 8702, NONBWOEC, 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | 3 | SDRAM | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 | 0728, C, HYE18M256, 169CX75, W3338092 | SDRAM - Mobile DDR, 256Mb, 1.8V. WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | V80B, 729379 | Flash - NOR, 8Mb, Serial SPI |- | 6 | NAND Flash | Varies | Samsung 728, K9HCG08U5M, PCB0, FCF285X1 | |- | 1 | Audio codec | WM1870 | APPLE, 338S0462, 76BZKTM | |- | 4 | Power manager | D1671B | 338S0408, 07258HAH | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] 70185320d265629e06852d1acfadf6e057ea4eea 0 243 3000 2928 2010-08-05T15:14:35Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | Probably Dialog? | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 2ee998355f6283bee080a544c048fcd6158a634b 0 244 3001 2922 2010-08-05T15:14:50Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | [http://www.st.com/stonline/products/literature/ds/15102/lis331dlm.htm LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 ffacbd18f9b8020761a45e8694c6d0384c5af6a8 0 245 3002 2929 2010-08-05T15:15:13Z Cmwslw 1 /* Components */ wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | Cirrus | | |- | 1 | Power manager | Probably Dialog? | APPLE, 338S0445, 2114.102, ZPD7383Y | |- | 6 | USB charging | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html c4146e5be97c7851e23f513cd95b2e391d241099 0 65 3003 2808 2010-08-05T15:15:44Z Cmwslw 1 wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | 5 GB or 10 GB | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | 10 GB or 20 GB | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | 20 GB or 40 GB | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | 20 GB, 30 GB, or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | 30 GB or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | 30 GB or 80 GB | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | 80 GB or 160 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | 120 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | 160 GB | |} ==iPod Nano Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | 1 GB, 2 GB, or 4 GB | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | 2 GB, 4 GB, or 8 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | 4 GB or 8 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | 8 GB or 16 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | 8 GB or 16 GB | |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. ==Helpful Pages== http://support.apple.com/kb/HT1353 bd416036f2a91621bdfda89ba9075cc3d1adeb88 0 173 3004 2760 2010-08-05T15:16:47Z Cmwslw 1 wikitext text/x-wiki Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First do everything in this article ([[ILoader Howto]])including installing rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. (pressing the middle button in iLoader. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. == Several Notes == To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view. Your videos might take some time to convert. d8771b1fbef0176a29f08d8a524cfe8e9cfc143e 0 52 3005 2935 2010-08-05T15:17:21Z Cmwslw 1 /* Getting DFU mode on 3G/4G */ wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU |- | Nano 2G | ? | ? |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | ? | ? |- | Classic 2G | ? | ? |- | Classic 3G | 1261 | 1223 |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 4e1dd843af1ff4e1bdd379b647d8137012c5d4d6 0 258 3007 2010-08-05T15:39:13Z TheSeven 13 Created page with 'This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Comma...' wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Read memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Read from I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} c87040f70ae55fe46abe5b1a55cc2eab79c31526 3008 3007 2010-08-05T15:59:15Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Read memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Read from I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} d3e04b1a32e164b4df6629fcdf059fc7e0d9bd9b 3009 3008 2010-08-05T19:24:46Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Read memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Read from I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} b8630d499e114de6cdfce71b91deaff60560e45e 3010 3009 2010-08-05T19:26:42Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Read memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Read from I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} e94bc41cf00f6e2f55e00f507e71d14e4cfea76a 0 258 3011 3010 2010-08-05T20:47:48Z Wolftail 138 /* 5: Read memory */ wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Read from I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} 13c5175c61fd5f39717e46a6e403110222d0f278 3012 3011 2010-08-05T20:48:50Z Wolftail 138 /* 9: Read from I2C device */ wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write from I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} 73f61ec6d03fec3e1de8792ffc0739b451cb677d 3013 3012 2010-08-05T20:58:30Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 9123473bfec6cb64047816e4d99decf30295fc93 3014 3013 2010-08-05T21:33:40Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} ff046f4a924a354c5bb02254a265544cc4c6fd25 3015 3014 2010-08-05T22:43:32Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 51b4337d96f483b902a030c8b2b3ed83e69f5812 3017 3015 2010-08-05T23:08:10Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Get user memory address range === Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} 4c0a38e86a3e84e210c76cd0080f820a1ebeb4f9 3018 3017 2010-08-05T23:09:27Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 9a7f2a567f09a126a0be5dbb2a12fc05ca19bf3b 0 50 3016 3006 2010-08-05T22:59:58Z Cmwslw 1 /* Released Software */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the Linux4nano project. Linux4nano has a fairly active IRC channel, [irc://irc.freenode.net/linux4nano-dev #linux4nano-dev] on Freenode for development related discussion. Please save questions and comments for [irc://irc.freenode.net/linux4nano #linux4nano]. There is a [http://home.gna.org/linux4nano/ project homepage] and a [http://mail.gna.org/public/linux4nano-dev/ mailing list], but these two are rarely updated. ==Updates== *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development here: http://bit.ly/cQAuam *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/linux4nano our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 45c5fd0a9a081618f99bbd1016be4cffa846d532 3019 3016 2010-08-06T18:42:17Z Farthen 28 freemyipod transition wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to it such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development here: http://bit.ly/cQAuam *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 3658d39b0ed07159dd6db3ea4bc71afd7cdbbbb3 3020 3019 2010-08-06T18:42:45Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development here: http://bit.ly/cQAuam *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Willing testers]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} c2d6bc9e17a2e33a929a84b701443fab1dcd2921 3022 3020 2010-08-06T19:06:39Z Farthen 28 /* Project info */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development here: http://bit.ly/cQAuam *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} fb48c494a6849f5ba544a470fbf1f6c57e0bebab 3025 3022 2010-08-06T19:27:12Z Farthen 28 /* Project info */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development here: http://bit.ly/cQAuam *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 84f1cde2ed3e11d6fca061ea1312cd497b20bc94 3031 3025 2010-08-06T20:20:10Z Farthen 28 /* Project info */ wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development here: http://bit.ly/cQAuam *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 942c5ce7d26974483f81c08a73ebaf7c08296e18 3050 3031 2010-08-07T02:38:35Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 802d7898d36b611f7204934532168396e32c4325 3058 3050 2010-08-07T09:35:40Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. <addscript src='linux4nano.js' /> ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 0453ffedf5cbc2622e796b0d0109cfd52fada553 3059 3058 2010-08-07T09:40:52Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. <addscript src='linux4nano' /> ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} f5d3f1a480dbda73314a2aa312ee644aa3a711fe 3060 3059 2010-08-07T09:44:02Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. <addscript src=linux4nano type=js /> ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 148e79f915542024a694d1f87a71d7758f69ba6a 3061 3060 2010-08-07T09:56:37Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} f0d2c34a7fcc8f73b3fdb33411d2c81f1754c2dc 3062 3061 2010-08-07T10:12:31Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. <!-- linux4nano info here --> ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} b9674741985b932d9be40f57d480cbd306073898 3063 3062 2010-08-07T10:21:44Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:4g_ibugger.jpg|115px|thumb|right|iBugger on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. <p id="linux4nano"></p> ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 42005820570c0539b62a9e00bbfe73300c3c22da 0 121 3021 2988 2010-08-06T18:59:44Z Farthen 28 freemyipod transition; custom firmwares don't belong in here wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] (80/160thick) !! [[Classic 2G]] (120) !! [[Classic 3G]] (160thin) |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} b1a27cbb3ecde629ecafce71fe817f79a90de3bd 3054 3021 2010-08-07T02:53:17Z Farthen 28 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''Needs new exploit'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Minimalistic SRAMbugger loader'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> | <span style="color:grey">'''Work in progress'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} 69239ceb9143d75914c60d114b264b0019734638 3055 3054 2010-08-07T03:14:59Z Farthen 28 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No<ref name="newexploit"/>'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No<ref name="uartnotneeded"/>'''</span> | <span style="color:grey">'''No<ref name="uartnotneeded"/>'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No<ref name="inprogress"/>'''</span> | <span style="color:grey">'''No<ref name="inprogress"/>'''</span> | <span style="color:grey">'''No<ref name="inprogress"/>'''</span> |- | iBugger | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes<ref name="sram"/>'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No<ref name="inprogress"/>'''</span> | <span style="color:grey">'''No<ref name="inprogress"/>'''</span> | <span style="color:grey">'''No<ref name="inprogress"/>'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit for this device to get execution.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="inprogress">Someone already started working on this. We don't know when this will be done.</ref> <ref name="sram">This iBugger is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched.</ref> </references> 2dca2d258f6c575ea63330bb7cb0fc83452c2ee0 0 256 3023 2982 2010-08-06T19:09:31Z Farthen 28 wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 5G]] since we have no means of execution on that device. If you do find such a bug, report it via private message on IRC to a main developer. DO NOT, I repeat, DO NOT, exclaim the bug to the world on a public IRC channel or mailing list. We made this mistake with the [[Notes vulnerability]]. As a result, Apple patched it on the [[Nano 4G]] and even patched the original firmware on the [[Nano 5G]] (thus making it impossible to downgrade to a vulnerable firmware). ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. Besides we already have a lot of [[Willing testers]] already. 34efd0808e42775a8ccdfb60f81a5a5d74125112 0 259 3024 2010-08-06T19:26:46Z Farthen 28 Created page with "There are various ways to contact the freemyipod team. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. === #freemyipod === This channel is..." wikitext text/x-wiki There are various ways to contact the freemyipod team. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. === #freemyipod === This channel is for anything related to the project. This may be development related, but can also be a simple question to something. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod] === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter] == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod here] 313da723b7e29dc1edc86306bb6ac970e0c13e81 3032 3024 2010-08-06T22:22:21Z Farthen 28 wikitext text/x-wiki There are various ways to contact the freemyipod team. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod === This channel is for anything related to the project. This may be development related, but can also be a simple question to something. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod] === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter] == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod here] 2943b042117670be7be0c6225f740532d28a0b73 8 260 3026 2010-08-06T19:40:42Z Farthen 28 Created page with "* navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status ** Contact ** Contributing ** Todo list ..." wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status ** Contact ** Contributing ** Todo list ** Project summary * Software ** iLoader *** iLoader howto *** iLoader themes *** iLoader testing results ** iBugger ** emBIOS *** emBIOS Monitor Protocol * Software Efforts ** Exploiting *** Pwnage 2.0 *** Notes vulnerability **** Address bruteforcing **** Nanotron 3000 ** Firmware ** Bootstrapping sequence ** Firmware decryption ** Nano 2G *** Nano2G clock gates‎ *** Nano2G LCD init *** Nano2G FTL ** Nano 4G *** Nano4G firmware upgrade process * Hardware efforts ** Hardware *** Nano 1G *** Nano 2G **** Nano2G HW analysis **** S5L8701 analysis *** Nano 3G *** Nano 4G *** Nano 5G *** Classic 1G *** Classic 2G *** Classic 3G ** Chronology ** S5L8700 datasheet * Basic skills ** Working with binaries ** Dumping firmware ** Extracting firmware * Guides ** MPEG movies ** Modes * TOOLBOX * LANGUAGES 55f572d586c68941b986e7b33d2df6f4c18c6330 3027 3026 2010-08-06T19:41:33Z Farthen 28 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Software ** iLoader *** iLoader howto *** iLoader themes *** iLoader testing results ** iBugger ** emBIOS *** emBIOS Monitor Protocol * Software Efforts ** Exploiting *** Pwnage 2.0 *** Notes vulnerability **** Address bruteforcing **** Nanotron 3000 ** Firmware ** Bootstrapping sequence ** Firmware decryption ** Nano 2G *** Nano2G clock gates‎ *** Nano2G LCD init *** Nano2G FTL ** Nano 4G *** Nano4G firmware upgrade process * Hardware efforts ** Hardware *** Nano 1G *** Nano 2G **** Nano2G HW analysis **** S5L8701 analysis *** Nano 3G *** Nano 4G *** Nano 5G *** Classic 1G *** Classic 2G *** Classic 3G ** Chronology ** S5L8700 datasheet * Basic skills ** Working with binaries ** Dumping firmware ** Extracting firmware * Guides ** MPEG movies ** Modes * TOOLBOX * LANGUAGES c2731d0f7530448ffbd2a543db59a3d01fdb9c7a 3028 3027 2010-08-06T19:46:49Z Farthen 28 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Software ** iLoader|iLoader *** iLoader howto|iLoader howto *** iLoader themes|iLoader howto *** iLoader testing results|iLoader howto ** iBugger|iBugger ** emBIOS|emBIOS *** emBIOS Monitor Protocol|emBIOS Monitor Protocol * Software Efforts ** Exploiting|Exploiting *** Pwnage 2.0|Pwnage 2.0 *** Notes vulnerability|Notes vulnerability **** Address bruteforcing|Address bruteforcing **** Nanotron 3000|Nanotron 3000 ** Firmware|Firmware ** Bootstrapping sequence|Bootstrapping sequence ** Firmware decryption|Firmware decryption ** Devices *** Nano 2G **** Nano2G clock gates‎|Nano2G clock gates‎ **** Nano2G LCD init|Nano2G LCD init **** Nano2G FTL|Nano2G FTL *** Nano 4G **** Nano4G firmware upgrade process|Nano4G firmware upgrade process * Hardware efforts ** Hardware|Hardware *** Nano 1G|Nano 1G *** Nano 2G|Nano 2G **** Nano2G HW analysis|Nano2G HW analysis **** S5L8701 analysis|S5L8701 analysis *** Nano 3G|Nano 3G *** Nano 4G|Nano 4G *** Nano 5G|Nano 5G *** Classic 1G|Classic 1G *** Classic 2G|Classic 2G *** Classic 3G|Classic 3G ** Chronology|Chronology ** S5L8700 datasheet|S5L8700 datasheet * Basic skills ** Working with binaries|Working with binaries ** Dumping firmware|Dumping firmware ** Extracting firmware|Extracting firmware * Guides ** MPEG movies|MPEG movies ** Modes|Modes * TOOLBOX * LANGUAGES 0252b20c9f59c16894ebb1f434d1ee06f25d785c 3029 3028 2010-08-06T19:53:14Z Farthen 28 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Software ** iLoader|iLoader ** iBugger|iBugger ** emBIOS|emBIOS * Software Efforts ** Exploiting|Exploiting ** Firmware|Firmware ** Bootstrapping sequence|Bootstrapping sequence ** Firmware decryption|Firmware decryption * Hardware efforts ** Hardware|Hardware ** Chronology|Chronology ** S5L8700 datasheet|S5L8700 datasheet * Basic skills ** Working with binaries|Working with binaries ** Dumping firmware|Dumping firmware ** Extracting firmware|Extracting firmware * Guides ** MPEG movies|MPEG movies ** Modes|Modes * TOOLBOX * LANGUAGES cfd073dcc7504d8a63f564f1f37945bf9d927a91 0 261 3030 2010-08-06T20:19:42Z Farthen 28 Created page with "We have a Subversion repository where we store our code for our software projects. == Websvn == If you just want to browse the SVN, go to http://websvn.freemyipod.org. == Check..." wikitext text/x-wiki We have a Subversion repository where we store our code for our software projects. == Websvn == If you just want to browse the SVN, go to http://websvn.freemyipod.org. == Checkout == If you want to checkout the repository, please use this url: http://svn.freemyipod.org == Commit == If you are a registered developer you need to use this url to checkout and commit: https://svn.freemyipod.org. You need to specify your username and password. 37b0c54d9da11ef65d03d20035795a550ac6db43 3033 3030 2010-08-06T22:28:17Z Farthen 28 wikitext text/x-wiki We have a Subversion repository where we store our code for our software projects. == Builds == We have automatic builds of our software. Just head over to http://builds.freemyipod.org to download the build you want. == Websvn == If you just want to browse the SVN, go to http://websvn.freemyipod.org. == Checkout == If you want to checkout the repository, please use this url: http://svn.freemyipod.org == Commit == If you are a registered developer you need to use this url to checkout and commit: https://svn.freemyipod.org. You need to specify your username and password. 094bac4420cd36eb9d39f3839574c0860ba9eddf 10 262 3034 2010-08-06T23:04:30Z Farthen 28 Created page with "'''This page is outdated.''' The information and/or topic discussed here is not up to date." wikitext text/x-wiki '''This page is outdated.''' The information and/or topic discussed here is not up to date. 1ff2ca5a325148161b233e177a268dbffbdfd8df 3035 3034 2010-08-06T23:14:19Z Farthen 28 wikitext text/x-wiki {| style="color:black;" border="1" cellpadding="5" cellspacing="0" align="left" |'''This page is outdated.''' The information and/or topic discussed here is not up to date. |} 7c6c3ef4f6918a2451073e6cdd97e9b0b061d3da 3036 3035 2010-08-06T23:22:57Z Farthen 28 wikitext text/x-wiki {| style="color:black;" border="1" cellpadding="5" cellspacing="0" align="left" |'''This page is outdated.''' The information and/or topic discussed here is not up to date. {{{reason}}} |} f80afc68a7021882a662615de226712cf04f3ba2 3037 3036 2010-08-06T23:28:37Z Farthen 28 wikitext text/x-wiki {| style="color:black;" border="1" cellpadding="5" cellspacing="0" align="left" |'''This page is outdated.''' The information and/or topic discussed here is not up to date.<br /> {{{reason}}} |} d3cfc98d7baf8f1b26d08ba296eacd9607e4fd91 3038 3037 2010-08-06T23:30:54Z TheSeven 13 wikitext text/x-wiki <div style="padding:10px; border: solid 2px red; background: #fee"> '''The information and/or topic discussed here is not up to date.<br /> {{{reason}}}''' </div> f290dc13ca265ec6c1f1439943232d97fe5aca10 3042 3038 2010-08-06T23:53:13Z TheSeven 13 wikitext text/x-wiki {| style="padding:10px; border: solid 2px red; background: #fee" | [[File:Nuvola_apps_important.svg|50px|Warning]] | style="width: 100%;" | '''The information and/or topic discussed here is not up to date.'''<br />{{{reason}}} |} 54ca40b8e307b0b5036076dc9aa12f561a88ba2a 3043 3042 2010-08-06T23:55:29Z TheSeven 13 wikitext text/x-wiki {| style="padding:10px; border: solid 2px red; background: #fee;" | [[File:Nuvola_apps_important.svg|50px|Warning]] | style="width: 100%; padding-left: 15px;" | '''The information and/or topic discussed here is not up to date.'''<br />{{{reason}}} |} 081469232bcb4f22af0d72361bb876c2c988525c 0 130 3039 2994 2010-08-06T23:40:48Z Farthen 28 wikitext text/x-wiki {{Outdated|reason=This project is an old attempt at [[Address bruteforcing]]}} Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like [[Sto]] used on the 2G. This would be more expensive but easier IMO. == Completed Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This Nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3G. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rest on one rubber ring each, come from a bicycle wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of [[cmwslw]]'s code. == Timings for resetting and rebooting iPods == {| class="wikitable" |- ! Action ! Nano 4G ! Classic 2G |- | Reset | 5 seconds | 5 seconds |- | Reboot to main menu (cable disconnected) | 17.5 seconds | 28 seconds |- | Reboot to main menu (cable connected) | 35 seconds | 28 seconds |- | Reboot to disk mode (cable disconnected) | 2-3 seconds | 4-5 seconds |- | Reboot to disk mode (cable connected) | 11 seconds | 4-5 seconds |- |} Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === '''This info is sort of outdated but possibly useful.''' Currently, the easiest way to test for a working iPod is to look for a line similar to: <pre> [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 </pre> in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior d055f9fb91eae3f1aa7f6a041f458a642c6a071c 3047 3039 2010-08-07T00:46:20Z Farthen 28 /* Farthen */ wikitext text/x-wiki {{Outdated|reason=This project is an old attempt at [[Address bruteforcing]]}} Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like [[Sto]] used on the 2G. This would be more expensive but easier IMO. == Completed Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it, unfortunately no pictures of that one have been taken. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This Nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3G. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rest on one rubber ring each, come from a bicycle wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of [[cmwslw]]'s code. == Timings for resetting and rebooting iPods == {| class="wikitable" |- ! Action ! Nano 4G ! Classic 2G |- | Reset | 5 seconds | 5 seconds |- | Reboot to main menu (cable disconnected) | 17.5 seconds | 28 seconds |- | Reboot to main menu (cable connected) | 35 seconds | 28 seconds |- | Reboot to disk mode (cable disconnected) | 2-3 seconds | 4-5 seconds |- | Reboot to disk mode (cable connected) | 11 seconds | 4-5 seconds |- |} Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === '''This info is sort of outdated but possibly useful.''' Currently, the easiest way to test for a working iPod is to look for a line similar to: <pre> [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 </pre> in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior 18433e8a3bde3634ae9a5503429e284c4dedcb22 0 116 3040 2972 2010-08-06T23:42:50Z Farthen 28 wikitext text/x-wiki {{outdated|reason=Starting August 3, 2010, development of iBugger has stopped in favor of a more useful debugger in [[emBIOS]].}} [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger Loader releases for the 2G and 4G Nanos. fc69a05cc61e520e115325573ecd7b1ebebbcb3c 6 264 3041 2010-08-06T23:46:48Z TheSeven 13 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 122 3046 2993 2010-08-07T00:41:33Z Farthen 28 wikitext text/x-wiki {{Outdated|reason=This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.}} The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] 2849cdfb644d26ed8a99a08d1347089a9c068dbc 0 265 3049 2010-08-07T02:35:07Z Farthen 28 Created page with "This project derived from the linux4nano project in July/August 2010. The linux4nano project had the goal - as the name might already indicate - to port Linux to the [[Nano 2G|iP..." wikitext text/x-wiki This project derived from the linux4nano project in July/August 2010. The linux4nano project had the goal - as the name might already indicate - to port Linux to the [[Nano 2G|iPod nano 2g]]. As none of the project members wanted to do that and as the project already cared about [[Hardware|other iPods]] we decided to change the name to freemyipod and relaunch the project. a1a54a1ef47e5c263cddfcc441252e62443db839 0 245 3051 3002 2010-08-07T02:43:21Z Farthen 28 wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Terminology== By iPod classic 1g we mean the first iPod released by Apple that had the 'classic' name. It was available in sizes of 80GB and 160GB. ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | Cirrus | | |- | 1 | Power manager | Probably Dialog? | APPLE, 338S0445, 2114.102, ZPD7383Y | |- | 6 | USB charging | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html 12342c6d38e2e15b889f7aa5a6e9d2611163c7be 0 246 3052 2890 2010-08-07T02:46:54Z Farthen 28 wikitext text/x-wiki [[Image:classic_2g_frt_a.jpg|500px]] [[Image:classic_2g_bck_a.png|500px]] ==Terminology== By iPod classic 2g we mean the second iPod with the 'classic' name. It was smaller than the 160GB version of the [[Classic_1G|Classic 1g]] and was only available with 120GB storage. ==Components== Almost exactly the same hardware as the [[Classic 1G]], except that region A is populated. This presumably communicates with the new headphone/remote that Apple chose for this device to support. ==Helpful pages== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c c20fb43c206ec2c9022e7abe71f3a14f8a0d40ad 0 247 3053 2891 2010-08-07T02:52:42Z Farthen 28 wikitext text/x-wiki No teardown pictures of the Classic 3G have been found yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ a basic guide of the non-electronic differences] by iLounge. Since the model number is the same as the [[Classic 2G]], there probably aren't any worthwhile (if any) in the hardware. ==Terminology== By iPod classic 3g we mean the re-introduced 160GB version of the classic which was announced on September 9 2009. It is the same size as the [[Classic 2G]]. bef095645c407b7f49a1acf70fae7b27ebec8707 8 257 3056 2987 2010-08-07T03:20:15Z Farthen 28 css text/css .mw-plusminus-pos { color:#006400; } .mw-plusminus-neg { color:#8B0000; } .mw-plusminus-null { color:#AAAAAA; } span.comment { font-style:italic; } span.changedby { font-size:95%; } .texvc { direction:ltr; unicode-bidi:embed; } img.tex { vertical-align:middle; } span.texhtml { font-family:serif; } #wikiPreview.ontop { margin-bottom:1em; } #editform, #toolbar, #wpTextbox1 { clear:both; } div#mw-js-message { background-color:#FCFCFC; border:1px solid #DDDDDD; margin:1em 5%; padding:0.5em 2.5%; } .editsection { float:right; margin-left:5px; } h2#filehistory { clear:both; } table.filehistory th, table.filehistory td { vertical-align:top; } table.filehistory th { text-align:left; } table.filehistory td.mw-imagepage-filesize, table.filehistory th.mw-imagepage-filesize { white-space:nowrap; } table.filehistory td.filehistory-selected { font-weight:bold; } li span.deleted, span.history-deleted { color:#888888; font-style:italic; text-decoration:line-through; } .not-patrolled { background-color:#FFFFAA; } .unpatrolled { color:red; font-weight:bold; } div.patrollink { font-size:75%; text-align:right; } body.ltr td.mw-label { text-align:right; } body.ltr td.mw-input { text-align:left; } body.ltr td.mw-submit { text-align:left; } body.rtl td.mw-label { text-align:left; } body.rtl td.mw-input { text-align:right; } body.rtl td.mw-submit { text-align:right; } td.mw-label { vertical-align:top; } .prefsection td.mw-label { width:20%; } .prefsection table { width:100%; } td.mw-submit { white-space:nowrap; } table.mw-htmlform-nolabel td.mw-label { width:0 !important; } tr.mw-htmlform-vertical-label td.mw-label { text-align:left !important; } input#wpSummary { width:80%; } body.rtl .thumbcaption { text-align:right; } body.rtl .magnify { float:left; } body.ltr .thumbcaption { text-align:left; } body.ltr .magnify { float:right; } .mw-hidden-cats-hidden { display:none; } .catlinks-allhidden { display:none; } p.mw-ipb-conveniencelinks, p.mw-protect-editreasons, p.mw-filedelete-editreasons, p.mw-delete-editreasons, p.mw-revdel-editreasons { float:right; font-size:90%; } .searchresults { } .searchresults p { margin-bottom:1.2em; margin-left:0.4em; margin-top:1em; } div.searchresult { font-size:95%; width:38em; } .mw-search-results { margin-left:0.4em; } .mw-search-results li { list-style:none outside none; padding-bottom:1em; } .mw-search-results li a { font-size:108%; } .mw-search-result-data { color:green; font-size:97%; } .mw-search-formheader { background-color:#F3F3F3; border:1px solid silver; margin-top:1em; } .mw-search-formheader div.search-types { float:left; padding-left:0.25em; } .rtl .mw-search-formheader div.search-types { float:right; } .mw-search-formheader div.search-types ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.search-types ul li { float:left; margin:0; padding:0; } .mw-search-formheader div.search-types ul li a { display:block; padding:0.5em; } .mw-search-formheader div.search-types ul li.current a { color:#333333; cursor:default; } .mw-search-formheader div.search-types ul li.current a:hover { text-decoration:none; } .mw-search-formheader div.results-info { float:right; padding:0.5em 0.75em 0.5em 0.5em; } .mw-search-formheader div.results-info ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.results-info ul li { float:right; margin:0; padding:0; } fieldset#mw-searchoptions { background-color:#F9F9F9; border-color:silver !important; border-right:1px solid silver !important; border-style:solid !important; border-width:0 1px 1px !important; margin:0; padding:0.5em 0.75em !important; } fieldset#mw-searchoptions legend { display:none; } fieldset#mw-searchoptions h4 { float:left; margin:0; padding:0; } .rtl fieldset#mw-searchoptions h4 { float:right; } fieldset#mw-searchoptions div#mw-search-togglebox { float:right; } .rtl fieldset#mw-searchoptions div#mw-search-togglebox { float:left; } fieldset#mw-searchoptions div#mw-search-togglebox label { margin-right:0.25em; } fieldset#mw-searchoptions div#mw-search-togglebox input { margin-left:0.25em; } fieldset#mw-searchoptions table { float:left; margin-right:3em; } fieldset#mw-searchoptions table td { padding-right:1em; } .rtl fieldset#mw-searchoptions table td { padding-left:1em; padding-right:0; } body.rtl fieldset#mw-searchoptions table { float:right; margin-left:3em; margin-right:0; } fieldset#mw-searchoptions div.divider { border-bottom:1px solid #DDDDDD; clear:both; margin-bottom:0.5em; padding-top:0.5em; } td#mw-search-menu { font-size:85%; padding-left:6em; } div#mw-search-interwiki { border:1px solid #AAAAAA; float:right; margin-top:2ex; width:18em; } .rtl div#mw-search-interwiki { float:left; } div#mw-search-interwiki li { font-size:95%; } .mw-search-interwiki-more { float:right; font-size:90%; } .rtl .mw-search-interwiki-more { float:left; } div#mw-search-interwiki-caption { font-size:95%; font-weight:bold; text-align:center; } .mw-search-interwiki-project { background-color:#ECECEC; border-top:1px solid #BBBBBB; font-size:97%; padding:0.15em 0.15em 0.2em 0.2em; text-align:left; } .rtl .mw-search-interwiki-project { text-align:right; } span.searchalttitle { font-size:95%; } div.searchdidyoumean { color:#CC0000; font-size:127%; margin-top:0.8em; } div.searchdidyoumean em { font-weight:bold; } .searchmatch { font-weight:bold; } table#mw-search-top-table { background-color:transparent; } td#mw-search-togglebox { text-align:right; } table#mw-search-powertable { width:100%; } form#powersearch { clear:both; } .mw-userrights-disabled { color:#888888; } table.mw-userrights-groups * td, table.mw-userrights-groups * th { padding-right:1.5em; } .os-suggest { background-color:window; border:1px solid #AAAAAA; font-size:95%; left:0; overflow-x:hidden; overflow-y:auto; position:absolute; top:0; width:0; z-index:99; } table.os-suggest-results { border:0 none; border-collapse:collapse; cursor:pointer; font-size:95%; width:100%; } .os-suggest-result, .os-suggest-result-hl { background-color:window; color:windowtext; padding:2px; white-space:nowrap; } .os-suggest-result-hl, .os-suggest-result-hl-webkit { background-color:#4C59A6; color:white; } .os-suggest-result-hl { background-color:highlight; color:highlighttext; } .os-suggest-toggle { font-size:65%; left:1ex; position:relative; } .os-suggest-toggle-def { font-size:65%; left:0; position:absolute; top:0; visibility:hidden; } .autocomment { color:gray; } #pagehistory .history-user { margin-left:0.4em; margin-right:0.2em; } #pagehistory span.minor { font-weight:bold; } #pagehistory li { border:1px solid white; } #pagehistory li.selected { background-color:#F9F9F9; border:1px dashed #AAAAAA; } .newpage, .minor, .bot { font-weight:bold; } .mw-uctop { font-weight:bold; } table.mw-listgrouprights-table tr { vertical-align:top; } .listgrouprights-revoked { text-decoration:line-through; } td.mw-statistics-numbers { text-align:right; } h4.mw-specialpagesgroup { background-color:#DCDCDC; margin:0.3em 0 0; padding:2px; } .mw-specialpagerestricted { font-weight:bold; } #shared-image-dup, #shared-image-conflict { font-style:italic; } table.mw-emailuser-table { width:98%; } td#mw-emailuser-sender, td#mw-emailuser-recipient { font-weight:bold; } table.allpageslist { background-color:transparent; } table.mw-allpages-table-form, table.mw-allpages-table-chunk { background-color:transparent; width:100%; } td.mw-allpages-alphaindexline { text-align:right; } td.mw-allpages-nav, p.mw-allpages-nav { font-size:smaller; margin-bottom:1em; text-align:right; } table.mw-allpages-table-form tr { vertical-align:top; } table#mw-prefixindex-list-table, table#mw-prefixindex-nav-table { background-color:transparent; width:98%; } td#mw-prefixindex-nav-form { font-size:smaller; margin-bottom:1em; text-align:right; vertical-align:top; } div.mw-warning-with-logexcerpt { border:2px solid #2F6FAB; clear:both; margin-bottom:3px; padding:3px; } div.mw-warning-with-logexcerpt ul li { font-size:90%; } span.mw-revdelundel-link, strong.mw-revdelundel-link { font-size:90%; } span.mw-revdelundel-hidden, input.mw-revdelundel-hidden { visibility:hidden; } td.mw-revdel-checkbox, th.mw-revdel-checkbox { padding-right:10px; text-align:center; } a.feedlink { background:url("images/feed-icon.png") no-repeat scroll left center transparent; padding-left:16px; } .plainlinks a { background:none repeat scroll 0 0 transparent !important; padding:0 !important; } table.wikitable { background:none repeat scroll 0 0 #F9F9F9; border:1px solid #AAAAAA; border-collapse:collapse; margin:1em 1em 1em 0; } .wikitable th, .wikitable td { border:1px solid #AAAAAA; padding:0.2em; } .wikitable th { background:none repeat scroll 0 0 #F2F2F2; text-align:center; } .wikitable caption { font-weight:bold; } table.collapsed tr.collapsable { display:none; } .success { color:green; font-size:larger; } .error { color:red; font-size:larger; } .errorbox, .successbox { border:2px solid; color:#000000; float:left; font-size:larger; margin-bottom:2em; padding:0.5em 1em; } .errorbox { background-color:#FFF2F2; border-color:red; } .successbox { background-color:#DDFFDD; border-color:green; } .errorbox h2, .successbox h2 { border:medium none; display:inline; font-size:1em; font-weight:bold; margin:0 0.5em 0 0; } .previewnote { color:#CC0000; margin-bottom:1em; } .previewnote p { margin:0.8em 0; text-indent:3em; } .visualClear { clear:both; } #mw_trackbacks { background-color:#EEEEFF; border:1px solid #BBBBFF; padding:0.2em; } .TablePager { min-width:80%; } .TablePager_nav a { text-decoration:none; } .TablePager { border-collapse:collapse; } .TablePager, .TablePager td, .TablePager th { border:1px solid #AAAAAA; padding:0 0.15em; } .TablePager th { background-color:#EEEEFF; } .TablePager td { background-color:#FFFFFF; } .TablePager tr:hover td { background-color:#EEEEFF; } .imagelist td, .imagelist th { white-space:nowrap; } .imagelist .TablePager_col_links { background-color:#EEEEFF; } .imagelist .TablePager_col_img_description { white-space:normal; } .imagelist th.TablePager_sort { background-color:#CCCCFF; } #mw-allmessagestable .allmessages-customised td.am_default { background-color:#FCFFC4; } #mw-allmessagestable tr.allmessages-customised:hover td.am_default { background-color:#FAFF90; } #mw-allmessagestable td.am_actual { background-color:#E2FFE2; } #mw-allmessagestable tr.allmessages-customised:hover + tr.allmessages-customised td.am_actual { background-color:#B1FFB1; } ul#filetoc { background-color:#F9F9F9; border:1px solid #AAAAAA; font-size:95%; margin-bottom:0.5em; margin-left:0; margin-right:0; padding:5px; text-align:center; } #filetoc li { display:inline; list-style-type:none; padding-right:2em; } table.mw_metadata { font-size:0.8em; margin-bottom:0.5em; margin-left:0.5em; width:300px; } table.mw_metadata caption { font-weight:bold; } table.mw_metadata th { font-weight:normal; } table.mw_metadata td { padding:0.1em; } table.mw_metadata { border:medium none; border-collapse:collapse; } table.mw_metadata td, table.mw_metadata th { border:1px solid #AAAAAA; padding-left:0.1em; padding-right:0.1em; text-align:center; } table.mw_metadata th { background-color:#F9F9F9; } table.mw_metadata td { background-color:#FCFCFC; } table.gallery { background-color:white; border:1px solid #CCCCCC; margin:2px; padding:2px; } table.gallery tr { vertical-align:top; } table.gallery td { background-color:#F9F9F9; border:2px solid white; vertical-align:top; } table.gallery caption { font-weight:bold; } div.gallerybox { margin:2px; } div.gallerybox div.thumb { border:1px solid #CCCCCC; margin:2px; text-align:center; } div.gallerytext { font-size:94%; overflow:hidden; padding:2px 4px; } table.mw-enhanced-rc { background:none repeat scroll 0 0 transparent; border:0 none; border-spacing:0; } td.mw-enhanced-rc { font-family:monospace; padding:0; vertical-align:top; white-space:nowrap; } #mw-addcategory-prompt { display:inline; margin-left:1em; } #mw-addcategory-prompt input { margin-left:0.5em; margin-right:0.5em; } .mw-remove-category { background-image:url("images/remove.png"); background-position:center center; background-repeat:no-repeat; padding:8px; } .mw-ajax-addcategory { background-image:url("images/add.png"); background-position:left center; background-repeat:no-repeat; padding-left:20px; } .mw-ajax-loader { background-image:url("images/ajax-loader.gif"); background-position:center center; background-repeat:no-repeat; padding:16px; position:relative; top:-16px; } .mw-small-spinner { background-image:url("images/spinner.gif"); background-position:center center; background-repeat:no-repeat; margin-right:0.6em; padding:10px !important; } a.sortheader { margin:0 0.3em; } table.prettytable td, table.prettytable th { padding-top: 3px; padding-left: 6px; padding-right: 6px; padding-body: 3px; } ol.references { font-size: 80%; } .references-small { font-size: 70%; } ol.references > li:target { background-color: #ddeeff; } sup.reference:target { background-color: #ddeeff; } 70a036df4c33ca81e59186e78557dcccb910a815 3057 3056 2010-08-07T03:22:37Z Farthen 28 css text/css .mw-plusminus-pos { color:#006400; } .mw-plusminus-neg { color:#8B0000; } .mw-plusminus-null { color:#AAAAAA; } span.comment { font-style:italic; } span.changedby { font-size:95%; } .texvc { direction:ltr; unicode-bidi:embed; } img.tex { vertical-align:middle; } span.texhtml { font-family:serif; } #wikiPreview.ontop { margin-bottom:1em; } #editform, #toolbar, #wpTextbox1 { clear:both; } div#mw-js-message { background-color:#FCFCFC; border:1px solid #DDDDDD; margin:1em 5%; padding:0.5em 2.5%; } .editsection { float:right; margin-left:5px; } h2#filehistory { clear:both; } table.filehistory th, table.filehistory td { vertical-align:top; } table.filehistory th { text-align:left; } table.filehistory td.mw-imagepage-filesize, table.filehistory th.mw-imagepage-filesize { white-space:nowrap; } table.filehistory td.filehistory-selected { font-weight:bold; } li span.deleted, span.history-deleted { color:#888888; font-style:italic; text-decoration:line-through; } .not-patrolled { background-color:#FFFFAA; } .unpatrolled { color:red; font-weight:bold; } div.patrollink { font-size:75%; text-align:right; } body.ltr td.mw-label { text-align:right; } body.ltr td.mw-input { text-align:left; } body.ltr td.mw-submit { text-align:left; } body.rtl td.mw-label { text-align:left; } body.rtl td.mw-input { text-align:right; } body.rtl td.mw-submit { text-align:right; } td.mw-label { vertical-align:top; } .prefsection td.mw-label { width:20%; } .prefsection table { width:100%; } td.mw-submit { white-space:nowrap; } table.mw-htmlform-nolabel td.mw-label { width:0 !important; } tr.mw-htmlform-vertical-label td.mw-label { text-align:left !important; } input#wpSummary { width:80%; } body.rtl .thumbcaption { text-align:right; } body.rtl .magnify { float:left; } body.ltr .thumbcaption { text-align:left; } body.ltr .magnify { float:right; } .mw-hidden-cats-hidden { display:none; } .catlinks-allhidden { display:none; } p.mw-ipb-conveniencelinks, p.mw-protect-editreasons, p.mw-filedelete-editreasons, p.mw-delete-editreasons, p.mw-revdel-editreasons { float:right; font-size:90%; } .searchresults { } .searchresults p { margin-bottom:1.2em; margin-left:0.4em; margin-top:1em; } div.searchresult { font-size:95%; width:38em; } .mw-search-results { margin-left:0.4em; } .mw-search-results li { list-style:none outside none; padding-bottom:1em; } .mw-search-results li a { font-size:108%; } .mw-search-result-data { color:green; font-size:97%; } .mw-search-formheader { background-color:#F3F3F3; border:1px solid silver; margin-top:1em; } .mw-search-formheader div.search-types { float:left; padding-left:0.25em; } .rtl .mw-search-formheader div.search-types { float:right; } .mw-search-formheader div.search-types ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.search-types ul li { float:left; margin:0; padding:0; } .mw-search-formheader div.search-types ul li a { display:block; padding:0.5em; } .mw-search-formheader div.search-types ul li.current a { color:#333333; cursor:default; } .mw-search-formheader div.search-types ul li.current a:hover { text-decoration:none; } .mw-search-formheader div.results-info { float:right; padding:0.5em 0.75em 0.5em 0.5em; } .mw-search-formheader div.results-info ul { list-style:none outside none !important; margin:0 !important; padding:0 !important; } .mw-search-formheader div.results-info ul li { float:right; margin:0; padding:0; } fieldset#mw-searchoptions { background-color:#F9F9F9; border-color:silver !important; border-right:1px solid silver !important; border-style:solid !important; border-width:0 1px 1px !important; margin:0; padding:0.5em 0.75em !important; } fieldset#mw-searchoptions legend { display:none; } fieldset#mw-searchoptions h4 { float:left; margin:0; padding:0; } .rtl fieldset#mw-searchoptions h4 { float:right; } fieldset#mw-searchoptions div#mw-search-togglebox { float:right; } .rtl fieldset#mw-searchoptions div#mw-search-togglebox { float:left; } fieldset#mw-searchoptions div#mw-search-togglebox label { margin-right:0.25em; } fieldset#mw-searchoptions div#mw-search-togglebox input { margin-left:0.25em; } fieldset#mw-searchoptions table { float:left; margin-right:3em; } fieldset#mw-searchoptions table td { padding-right:1em; } .rtl fieldset#mw-searchoptions table td { padding-left:1em; padding-right:0; } body.rtl fieldset#mw-searchoptions table { float:right; margin-left:3em; margin-right:0; } fieldset#mw-searchoptions div.divider { border-bottom:1px solid #DDDDDD; clear:both; margin-bottom:0.5em; padding-top:0.5em; } td#mw-search-menu { font-size:85%; padding-left:6em; } div#mw-search-interwiki { border:1px solid #AAAAAA; float:right; margin-top:2ex; width:18em; } .rtl div#mw-search-interwiki { float:left; } div#mw-search-interwiki li { font-size:95%; } .mw-search-interwiki-more { float:right; font-size:90%; } .rtl .mw-search-interwiki-more { float:left; } div#mw-search-interwiki-caption { font-size:95%; font-weight:bold; text-align:center; } .mw-search-interwiki-project { background-color:#ECECEC; border-top:1px solid #BBBBBB; font-size:97%; padding:0.15em 0.15em 0.2em 0.2em; text-align:left; } .rtl .mw-search-interwiki-project { text-align:right; } span.searchalttitle { font-size:95%; } div.searchdidyoumean { color:#CC0000; font-size:127%; margin-top:0.8em; } div.searchdidyoumean em { font-weight:bold; } .searchmatch { font-weight:bold; } table#mw-search-top-table { background-color:transparent; } td#mw-search-togglebox { text-align:right; } table#mw-search-powertable { width:100%; } form#powersearch { clear:both; } .mw-userrights-disabled { color:#888888; } table.mw-userrights-groups * td, table.mw-userrights-groups * th { padding-right:1.5em; } .os-suggest { background-color:window; border:1px solid #AAAAAA; font-size:95%; left:0; overflow-x:hidden; overflow-y:auto; position:absolute; top:0; width:0; z-index:99; } table.os-suggest-results { border:0 none; border-collapse:collapse; cursor:pointer; font-size:95%; width:100%; } .os-suggest-result, .os-suggest-result-hl { background-color:window; color:windowtext; padding:2px; white-space:nowrap; } .os-suggest-result-hl, .os-suggest-result-hl-webkit { background-color:#4C59A6; color:white; } .os-suggest-result-hl { background-color:highlight; color:highlighttext; } .os-suggest-toggle { font-size:65%; left:1ex; position:relative; } .os-suggest-toggle-def { font-size:65%; left:0; position:absolute; top:0; visibility:hidden; } .autocomment { color:gray; } #pagehistory .history-user { margin-left:0.4em; margin-right:0.2em; } #pagehistory span.minor { font-weight:bold; } #pagehistory li { border:1px solid white; } #pagehistory li.selected { background-color:#F9F9F9; border:1px dashed #AAAAAA; } .newpage, .minor, .bot { font-weight:bold; } .mw-uctop { font-weight:bold; } table.mw-listgrouprights-table tr { vertical-align:top; } .listgrouprights-revoked { text-decoration:line-through; } td.mw-statistics-numbers { text-align:right; } h4.mw-specialpagesgroup { background-color:#DCDCDC; margin:0.3em 0 0; padding:2px; } .mw-specialpagerestricted { font-weight:bold; } #shared-image-dup, #shared-image-conflict { font-style:italic; } table.mw-emailuser-table { width:98%; } td#mw-emailuser-sender, td#mw-emailuser-recipient { font-weight:bold; } table.allpageslist { background-color:transparent; } table.mw-allpages-table-form, table.mw-allpages-table-chunk { background-color:transparent; width:100%; } td.mw-allpages-alphaindexline { text-align:right; } td.mw-allpages-nav, p.mw-allpages-nav { font-size:smaller; margin-bottom:1em; text-align:right; } table.mw-allpages-table-form tr { vertical-align:top; } table#mw-prefixindex-list-table, table#mw-prefixindex-nav-table { background-color:transparent; width:98%; } td#mw-prefixindex-nav-form { font-size:smaller; margin-bottom:1em; text-align:right; vertical-align:top; } div.mw-warning-with-logexcerpt { border:2px solid #2F6FAB; clear:both; margin-bottom:3px; padding:3px; } div.mw-warning-with-logexcerpt ul li { font-size:90%; } span.mw-revdelundel-link, strong.mw-revdelundel-link { font-size:90%; } span.mw-revdelundel-hidden, input.mw-revdelundel-hidden { visibility:hidden; } td.mw-revdel-checkbox, th.mw-revdel-checkbox { padding-right:10px; text-align:center; } a.feedlink { background:url("images/feed-icon.png") no-repeat scroll left center transparent; padding-left:16px; } .plainlinks a { background:none repeat scroll 0 0 transparent !important; padding:0 !important; } table.wikitable { background:none repeat scroll 0 0 #F9F9F9; border:1px solid #AAAAAA; border-collapse:collapse; margin:1em 1em 1em 0; } .wikitable th, .wikitable td { border:1px solid #AAAAAA; padding:0.2em; } .wikitable th { background:none repeat scroll 0 0 #F2F2F2; text-align:center; } .wikitable caption { font-weight:bold; } table.collapsed tr.collapsable { display:none; } .success { color:green; font-size:larger; } .error { color:red; font-size:larger; } .errorbox, .successbox { border:2px solid; color:#000000; float:left; font-size:larger; margin-bottom:2em; padding:0.5em 1em; } .errorbox { background-color:#FFF2F2; border-color:red; } .successbox { background-color:#DDFFDD; border-color:green; } .errorbox h2, .successbox h2 { border:medium none; display:inline; font-size:1em; font-weight:bold; margin:0 0.5em 0 0; } .previewnote { color:#CC0000; margin-bottom:1em; } .previewnote p { margin:0.8em 0; text-indent:3em; } .visualClear { clear:both; } #mw_trackbacks { background-color:#EEEEFF; border:1px solid #BBBBFF; padding:0.2em; } .TablePager { min-width:80%; } .TablePager_nav a { text-decoration:none; } .TablePager { border-collapse:collapse; } .TablePager, .TablePager td, .TablePager th { border:1px solid #AAAAAA; padding:0 0.15em; } .TablePager th { background-color:#EEEEFF; } .TablePager td { background-color:#FFFFFF; } .TablePager tr:hover td { background-color:#EEEEFF; } .imagelist td, .imagelist th { white-space:nowrap; } .imagelist .TablePager_col_links { background-color:#EEEEFF; } .imagelist .TablePager_col_img_description { white-space:normal; } .imagelist th.TablePager_sort { background-color:#CCCCFF; } #mw-allmessagestable .allmessages-customised td.am_default { background-color:#FCFFC4; } #mw-allmessagestable tr.allmessages-customised:hover td.am_default { background-color:#FAFF90; } #mw-allmessagestable td.am_actual { background-color:#E2FFE2; } #mw-allmessagestable tr.allmessages-customised:hover + tr.allmessages-customised td.am_actual { background-color:#B1FFB1; } ul#filetoc { background-color:#F9F9F9; border:1px solid #AAAAAA; font-size:95%; margin-bottom:0.5em; margin-left:0; margin-right:0; padding:5px; text-align:center; } #filetoc li { display:inline; list-style-type:none; padding-right:2em; } table.mw_metadata { font-size:0.8em; margin-bottom:0.5em; margin-left:0.5em; width:300px; } table.mw_metadata caption { font-weight:bold; } table.mw_metadata th { font-weight:normal; } table.mw_metadata td { padding:0.1em; } table.mw_metadata { border:medium none; border-collapse:collapse; } table.mw_metadata td, table.mw_metadata th { border:1px solid #AAAAAA; padding-left:0.1em; padding-right:0.1em; text-align:center; } table.mw_metadata th { background-color:#F9F9F9; } table.mw_metadata td { background-color:#FCFCFC; } table.gallery { background-color:white; border:1px solid #CCCCCC; margin:2px; padding:2px; } table.gallery tr { vertical-align:top; } table.gallery td { background-color:#F9F9F9; border:2px solid white; vertical-align:top; } table.gallery caption { font-weight:bold; } div.gallerybox { margin:2px; } div.gallerybox div.thumb { border:1px solid #CCCCCC; margin:2px; text-align:center; } div.gallerytext { font-size:94%; overflow:hidden; padding:2px 4px; } table.mw-enhanced-rc { background:none repeat scroll 0 0 transparent; border:0 none; border-spacing:0; } td.mw-enhanced-rc { font-family:monospace; padding:0; vertical-align:top; white-space:nowrap; } #mw-addcategory-prompt { display:inline; margin-left:1em; } #mw-addcategory-prompt input { margin-left:0.5em; margin-right:0.5em; } .mw-remove-category { background-image:url("images/remove.png"); background-position:center center; background-repeat:no-repeat; padding:8px; } .mw-ajax-addcategory { background-image:url("images/add.png"); background-position:left center; background-repeat:no-repeat; padding-left:20px; } .mw-ajax-loader { background-image:url("images/ajax-loader.gif"); background-position:center center; background-repeat:no-repeat; padding:16px; position:relative; top:-16px; } .mw-small-spinner { background-image:url("images/spinner.gif"); background-position:center center; background-repeat:no-repeat; margin-right:0.6em; padding:10px !important; } a.sortheader { margin:0 0.3em; } table.prettytable td, table.prettytable th { padding-top: 3px; padding-left: 6px; padding-right: 6px; padding-body: 3px; } ol.references { font-size: 100%; } .references-small { font-size: 90%; } ol.references > li:target { background-color: #ddeeff; } sup.reference:target { background-color: #ddeeff; } b026be67f7d8c6f8245a074e3a4b4e1e7535ec71 0 258 3064 3018 2010-08-07T12:25:33Z Benedikt93 145 Fixed copy & paste mistake wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 2806d2e2ca053672e0e0bfa36209da3a1a9c75a4 3065 3064 2010-08-07T14:50:02Z TheSeven 13 /* 16: (Un)Freeze scheduler */ wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 73d77288c6875cbfa75f8613849333a106e11a1f 3066 3065 2010-08-07T14:50:44Z TheSeven 13 /* 17: (Un)Suspend thread */ wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 6090eb695c19cb0b5b2adb32a58a93bf9289c6cc 3068 3066 2010-08-07T22:06:34Z Benedikt93 145 /* 15: Get process information */ wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 46b17795332512db670537189af0f1a5f0d93278 3088 3068 2010-08-11T02:42:07Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- === 21: Execute image === Executes an emBIOS executable image. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} |} 976bafdabbe7ddfdc6b6986ec175ab4a160f6335 3089 3088 2010-08-11T02:43:09Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} 9c3db38d3db065c663ce08775759f99dc4a32dd9 3090 3089 2010-08-11T02:44:08Z TheSeven 13 /* 21: Execute image */ wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} 463e62f50531300d2f2ba5ccda1b110ef918a57a 3091 3090 2010-08-11T13:55:28Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Read raw boot flash === Write raw boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} ae6bbb5ea12fae6ccf50236d4bd049c5c07b3e96 3092 3091 2010-08-11T13:57:58Z TheSeven 13 /* 23: Read raw boot flash */ wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} f4998345e13fb47cd805412144eac8866c9b8edd 3110 3092 2010-08-13T20:10:08Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} c59120a8419699553905e23eef6db78a5ff084e8 3129 3110 2010-08-18T11:32:20Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES ===Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command.{| class="wikitable prettytable"|+ Command Packet|-! Offset !! Size (bytes) !! Description|-| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25)|-| style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1)|-| style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero|-| style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index|-| style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted|-| style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted|-|}{| class="wikitable prettytable"|+ Response Packet|-! Offset !! Size (bytes) !! Description|-| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)|-| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined|-|}=== 26: HMAC-SHA1 ===Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command.{| class="wikitable prettytable"|+ Command Packet|-! Offset !! Size (bytes) !! Description|-| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26)|-| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed|-| style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed|-| style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored|-|}{| class="wikitable prettytable"|+ Response Packet|-! Offset !! Size (bytes) !! Description|-| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)|-| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined|-|} da9023e3f9e5f519eac8044b37255343f9e8d2f7 3130 3129 2010-08-18T11:35:50Z TheSeven 13 Damn wysiwyg editor... wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} ec6e3d405a158da3760b9b6e9d26ec6b14f66b3e 0 259 3067 3032 2010-08-07T17:36:35Z Farthen 28 wikitext text/x-wiki There are various ways to contact the freemyipod team. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod === This channel is for anything related to the project. This may be development related, but can also be a simple question to something. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod] === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter] == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. 7f6620a03b18d7620102ad906ce6bb7a5bc58aaf 6 266 3069 2010-08-09T20:43:50Z Cmwslw 1 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 3071 3069 2010-08-09T20:53:18Z Cmwslw 1 uploaded a new version of &quot;[[File:Embios.jpg]]&quot; wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 3094 3071 2010-08-11T23:38:15Z Farthen 28 uploaded a new version of &quot;[[File:Embios.jpg]]&quot;: Updated to a more recent version... wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 50 3070 3063 2010-08-09T20:45:05Z Cmwslw 1 wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. <p id="linux4nano"></p> ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 6838c08a09a4365d474518a535ae1e8af8ae1d66 3079 3070 2010-08-10T18:37:11Z Cmwslw 1 /* Software efforts */ wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. <p id="linux4nano"></p> ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 3442f4387553a2e78a12db831f5bdf7027118c6e 3093 3079 2010-08-11T22:15:23Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] *2009/10/26 - USB now (somewhat) functional on [[Nano 4G]] via iBugger! This will be used instead of UART to dump memories. Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 07deff1cd001b60402338464a7fd4cf6a0800eea 3114 3093 2010-08-14T02:45:44Z Cmwslw 1 /* Updates */ wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/13 - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] ** [[iLoader howto]] ** [[iLoader themes]] ** [[iLoader testing results]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} f5b7331caa9d1df49a31c4b3e5891a97bc00b369 3134 3114 2010-08-18T23:25:29Z TheSeven 13 /* Released Software */ wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/13 - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware efforts=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} ca78649c949e00298540f1a6366ee97579e3848f 3135 3134 2010-08-18T23:26:08Z TheSeven 13 /* Hardware efforts */ wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/13 - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Software efforts=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 999f26fb9c5dd4b23d03ca8372ecbee0183eda38 3136 3135 2010-08-18T23:26:26Z TheSeven 13 /* Software efforts */ wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *2010/08/13 - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. *2010/08/06 - The wiki has now been moved to www.freemyipod.org *2010/08/05 - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] *2010/08/03 - We can now access the Nano 4G accelerometer. *2010/08/02 - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. *2010/08/01 - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. *2010/07/27 - The server got zapped by lightning but a new one was up and running within a day. *2010/02/23 - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! *2009/11/01 - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} dc5bc8663782c02dcd71a3a9ad84b6e06d1a1277 0 267 3072 2010-08-09T21:38:19Z Cmwslw 1 Created page with "[[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifi..." wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. 09e3377fc0b8b9f1ec4c3ca11b01fc599ba8ac34 3073 3072 2010-08-09T22:37:36Z Cmwslw 1 wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN folder [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/&#a70ba5517efd721bf4f2b7b4285a23990 here]. The emBIOS trunk has temporarily abandoned support for the [[Nano 4G]] since there was a holdup concerning it's timer. 4G development continues in the '4g_compat' branch. It will be merged in as soon as this holdup is solved. ==Building== If you want to try it out on your own iPod, there are automatic builds but you might as well just check out the SVN and compile it yourself. After all, emBIOS itself doesn't do much except print out its version string to the console. You must put something in main.c if you want it to do anything. Here are the basic steps to getting emBIOS up and running on your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the root of the SVN using make. You will need access to the UCL libraries to build this. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * If you are on a Nano 2G, build the trunk using 'make ipodnano2g'. If on a Nano 4G, build the 4g_compat branch using 'make ipodnano4g'. 9f5bd231206af7bf311c479f138bf71baefb0bb4 3074 3073 2010-08-10T09:05:26Z Benedikt93 145 /* Building */ add link to buildserver wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN folder [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/&#a70ba5517efd721bf4f2b7b4285a23990 here]. The emBIOS trunk has temporarily abandoned support for the [[Nano 4G]] since there was a holdup concerning it's timer. 4G development continues in the '4g_compat' branch. It will be merged in as soon as this holdup is solved. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the SVN and compile it yourself. After all, emBIOS itself doesn't do much except print out its version string to the console. You must put something in main.c if you want it to do anything. Here are the basic steps to getting emBIOS up and running on your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the root of the SVN using make. You will need access to the UCL libraries to build this. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * If you are on a Nano 2G, build the trunk using 'make ipodnano2g'. If on a Nano 4G, build the 4g_compat branch using 'make ipodnano4g'. c35c8e052ebc2aa84d0ce24dd117a7cec351c5ab 3085 3074 2010-08-10T22:09:20Z Benedikt93 145 wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN folder [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/&#a70ba5517efd721bf4f2b7b4285a23990 here]. The emBIOS trunk had temporarily abandoned support for the [[Nano 4G]] since there was a holdup concerning it's timer. 4G development continued in the '4g_compat' branch which was merged to the trunk again as of 10 august 2010. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the SVN and compile it yourself. After all, emBIOS itself doesn't do much except print out its version string to the console. You must put something in main.c if you want it to do anything. Here are the basic steps to getting emBIOS up and running on your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the root of the SVN using make. You will need access to the UCL libraries to build this. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * If you are on a Nano 2G, build the trunk using 'make ipodnano2g'. If on a Nano 4G, build the 4g_compat branch using 'make ipodnano4g'. 596e8900803948c1662bb1c063e5dfd5abf95fa7 3086 3085 2010-08-10T23:07:41Z User890104 124 4g_compat branch merged wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN folder [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/&#a70ba5517efd721bf4f2b7b4285a23990 here]. The emBIOS trunk had temporarily abandoned support for the [[Nano 4G]] since there was a holdup concerning it's timer. 4G development continued in the '4g_compat' branch which was merged to the trunk again as of 10 august 2010. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the SVN and compile it yourself. After all, emBIOS itself doesn't do much except print out its version string to the console. You must put something in main.c if you want it to do anything. Here are the basic steps to getting emBIOS up and running on your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the root of the SVN using make. You will need access to the UCL libraries to build this. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * If you are on a Nano 2G, build the trunk using 'make ipodnano2g'. If on a Nano 4G, build the trunk using 'make ipodnano4g'. If you want to build emBIOS for both targets, build the trunk using 'make' only. 3b66e2b87c3a89d41463a9ddf9c11ef2de34d5d0 3087 3086 2010-08-11T01:46:43Z Farthen 28 wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here]. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. After all, emBIOS itself doesn't do much except print out its version string to the console. You must put something in main.c if you want it to do anything. Here are the basic steps to getting emBIOS up and running on your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver] * If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix. So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do: <code>CROSS=arm-elf-eabi- make ipodnano2g</code> 935b4e405d1321860e7ca803c2fb667d86e681d2 0 89 3075 2998 2010-08-10T09:12:51Z Benedikt93 145 /* Guessed pinout table */ fix link wikitext text/x-wiki [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]] == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package: [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through: *a pad of the chip die *a bonding wire *the top layer of the substrate *a via *the bottom layer *finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made: *desoldering of the IC *removing of the balls and filler glue *X-ray picture *microscope picture of the bottom layer *removing the bottom layer and most of the substrate (by careful manual grinding) *microscope picture of the top layer *superposition of these views, and path finding from the die to the ball == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G_HW_analysis|Nano2G HW analysis]] for further PCB analysis. 223638c84473773c7cd3738bcd6d7d982d4b7acf 3077 3075 2010-08-10T18:30:13Z Cmwslw 1 /* Guessed pinout table */ wikitext text/x-wiki [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]] == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package: [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through: *a pad of the chip die *a bonding wire *the top layer of the substrate *a via *the bottom layer *finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made: *desoldering of the IC *removing of the balls and filler glue *X-ray picture *microscope picture of the bottom layer *removing the bottom layer and most of the substrate (by careful manual grinding) *microscope picture of the top layer *superposition of these views, and path finding from the die to the ball == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G HW analysis]] for further PCB analysis. ffdc2f5ed9288896ca60aaad5bce40d81d6b4422 0 268 3076 2010-08-10T18:26:52Z TheSeven 13 Created page with "{| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Description |- | <0x3FD4147F, 0xAF65,..." wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G: DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G: Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G: Lcd:40090620 |- |} d7d091f78deae365d69dc90290cd77179558ee74 3080 3076 2010-08-10T18:37:46Z Cmwslw 1 moved [[GUID Table]] to [[GUID table]] wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G: DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G: Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G: Lcd:40090620 |- |} d7d091f78deae365d69dc90290cd77179558ee74 3082 3080 2010-08-10T19:34:36Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G: DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G: Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G: Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G:DisplayPlatform:40030540 |- |} c6c66ddc66043b51ac6b92126b0edb288a8ffc20 3083 3082 2010-08-10T19:35:03Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G: DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G: Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G: Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G: DisplayPlatform:40030540 |- |} c7ea27a3a961a2a236c98845861a3ca07eb1d15d 3084 3083 2010-08-10T19:36:06Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- |} 55e22c5cbadd34c5f00dd360bbb68c7aa85fc742 0 94 3078 2749 2010-08-10T18:33:31Z Cmwslw 1 Fix an old link wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Nano 2G]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Nano2G getting exec]] 3d99d0652ca1e800a9ce9d17a04da023fd79ad6b 6 81 3095 1617 2010-08-12T00:51:32Z Cmwslw 1 wikitext text/x-wiki S5L8700 ball layout (not the iPod's, though) e56a9e58f848aad7ae4c74cbded4e93356a90cd1 3096 3095 2010-08-12T00:53:27Z Cmwslw 1 wikitext text/x-wiki S5L8700 ball layout (not the iPod's, though). This is a graphical representation of the grid array described here: www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html feb04cb9e2b8310bf7336958baaa57ce8d3f73fc 0 255 3097 2970 2010-08-12T00:54:24Z Cmwslw 1 wikitext text/x-wiki The datasheet for the S5L8700X was found [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here]. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version. ==Helpful pages== http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html 83a984fb954b5773023c012d6af128ca1464f13e 0 52 3115 3005 2010-08-14T12:17:54Z Myst 150 Added Classic 1G (80GB) PIDs wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU |- | Nano 2G | ? | ? |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | 1261 | 1223 |- | Classic 2G | ? | ? |- | Classic 3G | 1261 | 1223 |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf dafd80d5b1cc4620d081172a87632421871d06b8 0 56 3117 2766 2010-08-15T02:35:07Z Cmwslw 1 /* Nano 4G */ wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image** ''chrg'' - Same as lbat but showing that the iPod is charging ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware f684c77b0e5a96b574ef6e9be5148f63ddf547cb 3118 3117 2010-08-15T02:35:48Z Cmwslw 1 /* Nano 4G */ wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image** ''chrg'' - Same as lbat but showing that the iPod is charging ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 2cd326ccbc0eb4fbc99876f561011e3932172d49 3119 3118 2010-08-15T08:16:03Z Wolftail 138 clarified that 3G means Nano 3G wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the Nano 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image** ''chrg'' - Same as lbat but showing that the iPod is charging ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 9921177c7131707fef2fd9cab8ce458e12f954bf 3120 3119 2010-08-15T08:16:57Z Wolftail 138 /* Nano 4G */ wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the Nano 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image ** ''chrg'' - Same as lbat but showing that the iPod is charging ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 223a4b6ae303fbb0378640e94e9b61aa71ee5043 2 271 3122 2010-08-15T18:45:00Z Wolftail 138 Created page with "Hey, there! My name is Lala Ionuț, I live in Romania and I own an iPod Classic 1G (160GB) and can't wait for Rockbox and/or iPodLinux to be available for it. PS: If anyone wil..." wikitext text/x-wiki Hey, there! My name is Lala Ionuț, I live in Romania and I own an iPod Classic 1G (160GB) and can't wait for Rockbox and/or iPodLinux to be available for it. PS: If anyone will read this... Is it possible to update the 1G Classic (160GB) to the 2.0.x firmware of the 2G/3G Classic? (I know that the hardware is almost a perfect match.) I think it could be done by getting an image of the HDD of an iPod with the new software and overwrite it to the older one. Has anyone tried this? Can it be done? Thank You very much for all your work! 1b09249394cc1bf20304e44bb7c0c49984c963a2 3123 3122 2010-08-15T18:54:48Z Wolftail 138 wikitext text/x-wiki Hey, there! My name is Lala Ionuț, I live in Romania and I own an iPod Classic 1G (160GB) and can't wait for Rockbox and/or iPodLinux to be available for it. I am willing to do non-destructive testing in order to help the project. PS: If anyone will read this... Is it possible to update the 1G Classic (160GB) to the 2.0.x firmware of the 2G/3G Classic? (I know that the hardware is almost a perfect match.) I think it could be done by getting an image of the HDD of an iPod Classic with the new software and overwrite it to the older one. Has anyone tried this? Can it be done? Thank You very much for all your work! 4cb001a5a4060e77bfa889d8b207a6ccee7ec1e6 3125 3123 2010-08-16T05:18:32Z Cmwslw 1 wikitext text/x-wiki Hey, there! My name is Lala Ionuț, I live in Romania and I own an iPod Classic 1G (160GB) and can't wait for Rockbox and/or iPodLinux to be available for it. I am willing to do non-destructive testing in order to help the project. PS: If anyone will read this... Is it possible to update the 1G Classic (160GB) to the 2.0.x firmware of the 2G/3G Classic? (I know that the hardware is almost a perfect match.) I think it could be done by getting an image of the HDD of an iPod Classic with the new software and overwrite it to the older one. Has anyone tried this? Can it be done? Thank You very much for all your work! :Yes, this should be possible and in fact we have done something similar with the 4G. One time we copied the contents of a 8GB Nano 4G and gave it to me to put on my 16GB Nano 4G. It booted fine. But the thing is the Classic 2G has some headphone hardware that the 1G does not, and this could cause a crash when booting or using. We are more interested in copying the Classic 2G firmware to the Classic 3G since the 3G ships with firmware that has the notes vulnerability patched. [[User:Cmwslw|Cmwslw]] 05:18, 16 August 2010 (UTC) e8bdd0551f9416dc2323b52b0c2fa9f2f5d0ff17 3127 3125 2010-08-16T12:55:01Z Wolftail 138 wikitext text/x-wiki Hey, there! My name is Lala Ionuț, I live in Romania and I own an iPod Classic 1G (160GB) and can't wait for Rockbox and/or iPodLinux to be available for it. I am willing to do non-destructive testing in order to help the project. PS: If anyone will read this... Is it possible to update the 1G Classic (160GB) to the 2.0.x firmware of the 2G/3G Classic? (I know that the hardware is almost a perfect match.) I think it could be done by getting an image of the HDD of an iPod Classic with the new software and overwrite it to the older one. Has anyone tried this? Can it be done? Thank You very much for all your work! :Yes, this should be possible and in fact we have done something similar with the 4G. One time we copied the contents of a 8GB Nano 4G and gave it to me to put on my 16GB Nano 4G. It booted fine. But the thing is the Classic 2G has some headphone hardware that the 1G does not, and this could cause a crash when booting or using. We are more interested in copying the Classic 2G firmware to the Classic 3G since the 3G ships with firmware that has the notes vulnerability patched. [[User:Cmwslw|Cmwslw]] 05:18, 16 August 2010 (UTC) Thanks for the quick reply! I know about the headphone difference but I still hope that those really tiny chips that are added on the motherboard of the Classic 2G aren't so important that the OS will crash without them. I believe that porting new features to iPods via the original firmware if possible should also be included in this wiki. I do also understand that porting Rockbox on the new iPods is of higher priority and just hope that someone will find some spare time for this. [[User:Wolftail|Wolftail]] 12:55, 16 August 2010 (UTC) 28992809a5c7a8ad81362775701aefaf253423b2 2 272 3128 2010-08-18T00:54:35Z My iBrick 149 Created page with "I own an iPod touch." wikitext text/x-wiki I own an iPod touch. f1297b92ddc942ee5da1b7bf93263f190dbe61dd 4 115 3139 2950 2010-08-19T23:05:39Z User890104 124 wikitext text/x-wiki This wiki was started in order to collect all information about the freemyipod project, whether that be on the IRC, website, or mailing list, and compile it all into a convenient and organized location. Please feel free to add/edit information (it is a wiki after all). Please keep in mind that this wiki is for the purpose of cracking the iPod encryption. While we want to find out as much about the iPod as we can, we need to try to keep only information relevant to cracking the iPod in the wiki. This keeps the wiki informative, but still concise. Also, when editing the wiki, please be sure to include sources (for plagiarism, but mostly for convenience). Also, '''speculation is good'''! Since this is an ongoing project, some things might not be known for sure. Even still, it is important to put speculation in this wiki to keep ideas flowing. Just make sure you mark speculation by using a question mark or something. b938314f5f616c2eb6e451f4b28429901ed6b42b 0 122 3140 3046 2010-08-19T23:07:05Z User890104 124 wikitext text/x-wiki {{Outdated|reason=This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.}} The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the freemyipod team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_Downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] 09efe283eea5cdcf3bf91bbc459e16424bd6929e 3154 3140 2010-08-29T17:12:02Z Farthen 28 wikitext text/x-wiki {{Outdated|reason=This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.}} The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the freemyipod team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] c416d330e68fe70459e474d1478876831ddd5883 0 130 3141 3047 2010-08-19T23:07:37Z User890104 124 wikitext text/x-wiki {{Outdated|reason=This project is an old attempt at [[Address bruteforcing]]}} Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the freemyipod team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like [[Sto]] used on the 2G. This would be more expensive but easier IMO. == Completed Nanotrons == === Farthen === [[File:Nanotron-3000-farthen-1.jpg|200px]] [[File:Nanotron-3000-farthen-2.jpg|200px]] This is my first nanotron. I had some mechanical difficulties and needed to rebuild it, unfortunately no pictures of that one have been taken. ==== Specific technical details of my nanotron ==== * motor for pressing menu is connected to motor slot 1 * motor for pressing select is connected to motor slot 2 * motor for pressing play is connected to motor slot 3 * all motors press the buttons when powered to the "upright" direction === TheSeven === [[File:Nanotron2G-TheSeven-1.jpg|200px]] [[File:Nanotron2G-TheSeven-2.jpg|200px]] [[File:Nanotron2G-TheSeven-3.jpg|200px]] [[File:Nanotron2G-TheSeven-4.jpg|200px]] [[File:Nanotron2G-TheSeven-5.jpg|200px]] My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though. ==== Specific technical details of my nanotron ==== * light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it). * motor for pressing the menu+select combo is connected to motor port A * motor for pressing the select+play combo is connected to motor port C === cmwslw === [[File:IMG_0016.JPG|200px]] [[File:IMG_0017.JPG|200px]] [[File:IMG_0018.JPG|200px]] [[File:IMG_0019.JPG|200px]] [[File:IMG_0020.JPG|200px]] My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable. === tucenaber === [[File:Nanotron3g1.jpg|200px]] [[File:Nanotron3g2.jpg|200px]] [[File:Nanotron3g3.jpg|200px]] [[File:Nanotron3g4.jpg|200px]] This Nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3G. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rest on one rubber ring each, come from a bicycle wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up. The software is a slightly modified version of [[cmwslw]]'s code. == Timings for resetting and rebooting iPods == {| class="wikitable" |- ! Action ! Nano 4G ! Classic 2G |- | Reset | 5 seconds | 5 seconds |- | Reboot to main menu (cable disconnected) | 17.5 seconds | 28 seconds |- | Reboot to main menu (cable connected) | 35 seconds | 28 seconds |- | Reboot to disk mode (cable disconnected) | 2-3 seconds | 4-5 seconds |- | Reboot to disk mode (cable connected) | 11 seconds | 4-5 seconds |- |} Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode: # Take off old note file, put in new one (half a second) # Hold down menu and select to reboot (5 seconds) # Wait for boot (35 seconds) # Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot) # Boot to disk mode and start from beginning (11 seconds) So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons. We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical. TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell... === Testing for freeze === '''This info is sort of outdated but possibly useful.''' Currently, the easiest way to test for a working iPod is to look for a line similar to: <pre> [ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0 </pre> in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know. TODO: post kernel logs and investigate reboot log behavior 5050960539ff29072430f663adad92d1ecdac9a0 0 57 3142 2728 2010-08-19T23:16:08Z User890104 124 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the freemyipod SVN at http://svn.freemyipod.org/tools/extract2g/. The Windows and the Linux versions can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw On Nano 4G, you should use the -4 or --4g-compat option in order to dump the correct data from the firmware. This option is considered as a workaround, because the Nano 4G firmwares are detected as Nano 3G's, but the offset is different. To list the files, type in: <pre>extract2g -l -4 dump.img</pre> To extract all files, type in: <pre>extract2g -A -4 dump.img</pre> You should now have 9 files: *appl.fw *bdhw.fw *bdsw.fw *chrg.fw *diag.fw *disk.fw *lbat.fw *osos.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ===Removing header=== Also if you are using the osos.fw outputted by extract2g in iLoader you need to remove the 2 KiB header from it: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Or alternatively, under Windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0x0 to 0x7FF, then delete this region and save. Then put osos.out into /iLoader/osos.fw ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 18346efffa6fe95af0d62a7f3c0a65fa49135ac2 0 50 3143 3136 2010-08-20T22:31:04Z Farthen 28 Format the dates correctly by user preference wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 8bc4bc0c27e109cbfdade9117bf379f07c58e0b3 3148 3143 2010-08-26T21:53:51Z TheSeven 13 News update wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. ==Updates== *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 6d02119d6acbc8e9f97b492f197b1072e6e49ffc 3156 3148 2010-08-29T17:18:43Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 1fb2ef98d32a1cbc69e1a07fe7b48c573c59f434 3158 3156 2010-08-29T23:26:10Z TheSeven 13 News update wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} fd800a7157f683b82f1376705319e679b35eecad 3181 3158 2010-09-09T19:26:07Z User890104 124 add nano 6g wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 6d57225b716f26c0ee2d2d77f6449f4b959c2ce8 3192 3181 2010-10-13T06:31:27Z Wokfel 153 wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] [http://www.acaiberryinformations.com Acai Berry] is the best weight losing techniques. It is such a useful product when it comes to weight loss. It has been helping various people to get their desired body shape. [http://www.articlesbase.com/supplements-and-vitamins-articles/my-weight-loss-experience-with-the-acai-berry-diet-1726693.html Acai Berry] has become quite popular in the recent few years. There are many specialties of [http://ezinearticles.com/?Acai-Berry---How-I-Lost-30-Pounds-in-Under-30-Days-Using-The-Acai-Berry&id=1998407 Acai Berry] which were discovered by the people after a long time. And now with the proper knowledge of these benefits,[http://www.buzzle.com/articles/the-facts-and-half-truths-about-the-acai-berry-diet.html Acai Berry] has been in news for a long time. ==Updates== *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 92c5d2d7fca9d15483b9a5f7123083f23edaba86 3193 3192 2010-10-13T12:39:17Z Benedikt93 145 Undo revision 3192 by [[Special:Contributions/Wokfel|Wokfel]] ([[User talk:Wokfel|talk]]) -> Spam wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 6d57225b716f26c0ee2d2d77f6449f4b959c2ce8 3194 3193 2010-10-13T13:08:10Z TheSeven 13 Changed protection level for "[[Main Page]]": edit=autoconfirmed apparently didn't do what it was supposed to ([edit=sysop] (indefinite) [move=sysop] (indefinite)) wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 6d57225b716f26c0ee2d2d77f6449f4b959c2ce8 0 121 3144 3055 2010-08-20T23:59:28Z Farthen 28 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit for this device to get execution.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="inprogress">Someone already started working on this. We don't know when this will be done.</ref> <ref name="ibugger">[[iBugger]] is deprecated software and the goal is to replace it with [[emBIOS]].</ref> <ref name="sram">This iBugger is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched.</ref> </references> 841adbb28f94fbb78be9ecc4074658384dfb11cb 3160 3144 2010-09-01T21:48:58Z Farthen 28 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G]] !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit for this device to get execution.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="inprogress">Someone already started working on this. We don't know when this will be done.</ref> <ref name="ibugger">[[iBugger]] is deprecated software and the goal is to replace it with [[emBIOS]].</ref> <ref name="sram">This iBugger is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched.</ref> </references> c2e92add38687dd616619c582d90217069ce5928 3161 3160 2010-09-01T21:57:07Z Farthen 28 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> | <span style="color:grey">'''No'''<ref name="inprogress"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit for this device to get execution.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="inprogress">Someone already started working on this. We don't know when this will be done.</ref> <ref name="ibugger">[[iBugger]] is deprecated software and the goal is to replace it with [[emBIOS]].</ref> <ref name="sram">This iBugger is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched.</ref> <ref name="nano6g">The nano 6g is something entirely new and we don't know at all how this device works and if we want to do something with it.</ref> </references> e2c3cd59fd4b1b5e35cecbf9a02fe6c78ae0c1fb 3162 3161 2010-09-02T01:06:26Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> </references> dc17368a16aad173bb9dfaf5c7c50f78d4bdc30f 0 258 3145 3130 2010-08-22T13:23:08Z Farthen 28 /* 9: Write to I2C device */ wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 8a99b8d52544a6458abc10eed6db94af7c7a0d76 3146 3145 2010-08-24T13:38:10Z TheSeven 13 Monitor protocol change: transfer size 0 for I2C transfers means 256 bytes wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} b42c158870741371237586cda84f0bf224c7671d 0 267 3147 3087 2010-08-25T06:28:04Z Farthen 28 /* Building */ wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here]. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. Here are the basic steps to compiling emBIOS for your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver] * If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix. So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do: <code>CROSS=arm-elf-eabi- make ipodnano2g</code> bb36ea2668f35802715c1931a979e1c03ce1ffd5 10 262 3153 3043 2010-08-29T17:09:01Z Farthen 28 wikitext text/x-wiki {| style="padding:10px; border: solid 2px red; background: #fee;" | [[File:Nuvola_apps_important.svg|50px|Warning]] | style="width: 100%; padding-left: 15px;" | '''The information and/or topic discussed here is not up to date.'''<br /> {{{reason|}}} |} 9d489cbb88f813f90cc02a86833ab1710df04274 0 94 3155 3078 2010-08-29T17:15:47Z Farthen 28 wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Nano 2G]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Notes_exploit]] 7b9e35f6197ca39445753d5d177a515be146e733 0 173 3157 3004 2010-08-29T17:23:48Z Farthen 28 wikitext text/x-wiki Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First install rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. (pressing the middle button in iLoader. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. == Several Notes == To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view. Your videos might take some time to convert. 637f1fecc840ee9fdcb118602c0d0ca42effd836 3 273 3164 2010-09-02T20:41:50Z Wolftail 138 Moved some stuff from my profile to the talk page where it belongs. Nothing new. wikitext text/x-wiki PS: If anyone will read this... Is it possible to update the 1G Classic (160GB) to the 2.0.x firmware of the 2G/3G Classic? (I know that the hardware is almost a perfect match.) I think it could be done by getting an image of the HDD of an iPod Classic with the new software and overwrite it to the older one. Has anyone tried this? Can it be done? Thank You very much for all your work! :Yes, this should be possible and in fact we have done something similar with the 4G. One time we copied the contents of a 8GB Nano 4G and gave it to me to put on my 16GB Nano 4G. It booted fine. But the thing is the Classic 2G has some headphone hardware that the 1G does not, and this could cause a crash when booting or using. We are more interested in copying the Classic 2G firmware to the Classic 3G since the 3G ships with firmware that has the notes vulnerability patched. [[User:Cmwslw|Cmwslw]] 05:18, 16 August 2010 (UTC) Thanks for the quick reply! I know about the headphone difference but I still hope that those really tiny chips that are added on the motherboard of the Classic 2G aren't so important that the OS will crash without them. I believe that porting new features to iPods via the original firmware if possible should also be included in this wiki. I do also understand that porting Rockbox on the new iPods is of higher priority and just hope that someone will find some spare time for this. [[User:Wolftail|Wolftail]] 12:55, 16 August 2010 (UTC) 24b75360517cef3a2c19c8c900a7d0404492f88b 2 271 3165 3127 2010-09-02T20:42:12Z Wolftail 138 Moved some stuff from my profile to the talk page where it belongs. Nothing new. wikitext text/x-wiki Hey, there! My name is Lala Ionuț, I live in Romania and I own an iPod Classic 1G (160GB) and can't wait for Rockbox and/or iPodLinux to be available for it. I am willing to do non-destructive testing in order to help the project. c6e0cdd2616c8e8d7600893f2e2778446d8cc57b 0 204 3166 2709 2010-09-04T18:58:37Z Benedikt93 145 fix redirect (though it might not be needed anymore) wikitext text/x-wiki #REDIRECT [[Notes vulnerability]] 2f20eb62907e3e8c33d965dcc82500ec1d358f61 8 260 3167 3029 2010-09-05T13:21:49Z Farthen 28 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Software ** iLoader|iLoader ** iBugger|iBugger ** emBIOS|emBIOS * Basic skills ** Working with binaries|Working with binaries ** Dumping firmware|Dumping firmware ** Extracting firmware|Extracting firmware * Reverse engineering Results ** Firmware|Firmware ** Bootstrapping sequence|Bootstrapping sequence ** Firmware decryption|Firmware decryption ** GUID Table|GUID Table ** Nano 2G *** Nano 2G Clock Gates|Nano 2G Clock Gates *** Nano2G LCD init|Nano2G LCD init *** Nano2G FTL|Nano2G FTL ** Nano 4G *** Nano4G firmware upgrade process|Nano4G firmware upgrade process * Exploiting ** Pwnage 2.0 ** Notes vulnerability * Hardware ** Hardware|Hardware ** Chronology|Chronology ** S5L8700 datasheet|S5L8700 datasheet * Other Guides ** MPEG movies|MPEG movies ** Modes|Modes * TOOLBOX * LANGUAGES 2476ed20aedb4cfa8fc93a7d9e42b4af8f5b7102 3168 3167 2010-09-05T13:22:31Z Farthen 28 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Software ** iLoader|iLoader ** iBugger|iBugger ** emBIOS|emBIOS * Basic skills ** Working with binaries|Working with binaries ** Dumping firmware|Dumping firmware ** Extracting firmware|Extracting firmware * Reverse engineering Results ** Firmware|Firmware ** Bootstrapping sequence|Bootstrapping sequence ** Firmware decryption|Firmware decryption ** GUID Table|GUID Table ** Nano 2G *** Nano 2G Clock Gates|Nano 2G Clock Gates *** Nano2G LCD init|Nano2G LCD init *** Nano2G FTL|Nano2G FTL ** Nano 4G *** Nano4G firmware upgrade process|Nano4G firmware upgrade process * Exploiting ** Pwnage 2.0|Pwnage 2.0 ** Notes vulnerability|Pwnage 2.0 * Hardware ** Hardware|Hardware ** Chronology|Chronology ** S5L8700 datasheet|S5L8700 datasheet * Other Guides ** MPEG movies|MPEG movies ** Modes|Modes * TOOLBOX * LANGUAGES 8f948ea36e5831cc2192681859c2bcfc4d554ae4 3169 3168 2010-09-05T13:36:45Z Farthen 28 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Software ** iLoader|iLoader ** iBugger|iBugger ** emBIOS|emBIOS * Basic skills ** Working with binaries|Working with binaries ** Dumping firmware|Dumping firmware ** Extracting firmware|Extracting firmware * Reverse engineering Results ** Firmware|Firmware ** Bootstrapping sequence|Bootstrapping sequence ** Firmware decryption|Firmware decryption ** GUID Table|GUID Table ** Nano 2G *** Nano 2G Clock Gates|Nano 2G Clock Gates *** Nano2G LCD init|Nano2G LCD init *** Nano2G FTL|Nano2G FTL ** Nano 4G *** Nano4G firmware upgrade process|Nano4G firmware upgrade process * Exploiting ** Pwnage 2.0|Pwnage 2.0 ** Notes vulnerability|Notes vulnerability * Hardware ** Hardware|Hardware ** Chronology|Chronology ** S5L8700 datasheet|S5L8700 datasheet * Other Guides ** MPEG movies|MPEG movies ** Modes|Modes * TOOLBOX * LANGUAGES 947c9b697fc36119cf4d51f03f036d84a3e556ec 0 66 3170 2966 2010-09-06T13:44:44Z Wolftail 138 /* Background */ corrected a typo wikitext text/x-wiki ==Background== Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory then the encrypted data is being sent. After the decryption process completes, the decrypted data is downloaded. ==ipodcrypt== The ipodcrypt utility has the following features: for [[Nano 2G]]: *encrypt/decrypt DFU image *encrypt/decrypt firmware file contents *encrypt/decrypt dump of NOR flash's contents for [[Nano 4G]]: *decrypt firmware file contents The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt. You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux. ==Prerequisites== ===Windows=== First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below) Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads You also need [http://pyusb.sourceforge.net/ pyUSB] - a Python module for communicating with USB devices. Its download page is: You can get it from the [http://sourceforge.net/projects/pyusb/files/ download page] or [http://developer.berlios.de/project/showfiles.php?group_id=4354 another mirror]. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver. '''Important note''': If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended. To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual. '''Important note 2''': You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions ===Linux=== Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with: <pre> easy_install install pyusb </pre> Otherwise, you need to download it and install it manually as in the Windows instructions. To install libusb, you need to use your distribution's package management utility and look for libusb, then install it. ===Mac OS X=== (to be added later) ==Helpful pages== http://ipodlinux.org/wiki/Flash_Decryption http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ 4c6a9112536b908e6bc9bd043b392a23f744bb40 0 53 3171 2991 2010-09-09T11:17:55Z User890104 124 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| class="wikitable" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| class="wikitable" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware http://www.trejan.com/projects/ipod/phobos.html#REGFIRMWARE d2dfc69de8cab26ba6a54e01a0bfaa1453532c57 6 274 3172 2010-09-09T13:34:52Z Wolftail 138 This is the front of the logic board of the newly released iPod Nano 6g (the one with multitouch). wikitext text/x-wiki This is the front of the logic board of the newly released iPod Nano 6g (the one with multitouch). 80d4f421c3ee009a47fd02382b04697d78200994 6 275 3173 2010-09-09T13:35:26Z Wolftail 138 This is the back of the logic board of the newly released iPod Nano 6g (the one with multitouch). wikitext text/x-wiki This is the back of the logic board of the newly released iPod Nano 6g (the one with multitouch). cb37175c766453f45d3b1660cc95bca76cf4c6d4 0 241 3174 2997 2010-09-09T13:44:43Z TheSeven 13 wikitext text/x-wiki [[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 1 | CPU | Samsung S5L8701 |337S32918701, N042DQS, 0636 ARM | System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 176kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | 2 | SDRAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] |SEC 637 GG75, K4M56163PG, AQH373P1 | [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the [[Nano 1G]]. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | 3 | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A] |SST39WF800A, 90-4C-C2QE, 0631287-A | stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | N/A | DSP | N/A | N/A | Doesn't seem to be present at all. |- | B1 | NAND Flash | Varies |TOSHIBA P11023, JAPAN 0636 KAE, TP0560, TH58NVG5D4CTG20 | |- | 6 | USB charging | LTC4066 |Linear Technology, 6H, 4066, B8966 | |- | 5 | Audio codec | Wolfson WM8975 |APPLE, 338S0310, 68BTST8 | |- | 4 | Step down regulator | LM34910 |National Semiconductor, JM66RJ, L34910B | |- | B2 | Power manager (below) | NXP PCF50633UM |APPLE, 338S0261, P29T6 04, cPG0637Y, 01/N2 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf 3e2d3267fc0c3809cd906f2d4292d92f85ec175e 0 276 3175 2010-09-09T13:48:10Z Wolftail 138 Created a page for the new iPod Nano 6G. wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | Red | NAND Flash | | Toshiba TH58NVG6E2FLA4C 8GB NAND | |- | Cyan | | | Apple 33850859 C0E111022 | |- | Orange | | | Apple 338S0783-B1 10298HLS | |- | Yellow | | | 0650 D0UY 027 | |- | Blue | | | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | |- | Pink | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. The red and black cables lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 d128017bc3b6c4efcb38c3cad92a200d4a240e3b 3176 3175 2010-09-09T13:51:14Z Wolftail 138 /* Components */ wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | Red | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | Cyan | | | Apple 33850859 C0E111022 | |- | Orange | | | Apple 338S0783-B1 10298HLS | |- | Yellow | | | 0650 D0UY 027 | |- | Blue | | | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | |- | Pink | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. The red and black cables lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 72ddf591d0071178a16339adaed9ca8c831bd5a3 3177 3176 2010-09-09T14:04:55Z Wolftail 138 Added Colors to the components table. wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | | | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | | | Apple 338S0783-B1 10298HLS | |- | <span style="color:yellow">Yellow</span> | | | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | | | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | |- | <span style="color:pink">Pink</span> | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. The red and black cables lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 9de031097ecc269f9a18b6813291b4af92de8bb5 3178 3177 2010-09-09T14:10:24Z Wolftail 138 made some of the colors more readable wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | | | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | | | Apple 338S0783-B1 10298HLS | |- | <span style="color:#e8e838">Yellow</span> | | | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | | | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | |- | <span style="color:#cf5eea">Pink</span> | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. The red and black cables lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 d2d1b8768c7907e8922f8999f46f162c6e6d255b 3182 3178 2010-09-09T19:34:52Z User890104 124 add info about the nano 6g cpu wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | | | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | | | Apple 338S0783-B1 10298HLS | |- | <span style="color:#e8e838">Yellow</span> | | | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | CPU | Samsung S5L8723 | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source] |- | <span style="color:#cf5eea">Pink</span> | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. The red and black cables lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 42b6fd9fc4acc284073f0fa9cc4ee0a61adb58a2 3184 3182 2010-09-09T20:11:54Z Wolftail 138 /* Components */ wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | | | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | | | Apple 338S0783-B1 10298HLS | Could be the Power Manager? Someone please confirm this. |- | <span style="color:#e8e838">Yellow</span> | | | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | CPU | Samsung S5L8723 | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source] |- | <span style="color:#cf5eea">Pink</span> | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. The red and black cables lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 9164ea7c36b13a51c49e40b0d8b6963400f78b7e 3185 3184 2010-09-11T21:25:29Z Wolftail 138 added a link wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | | | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | | | Apple 338S0783-B1 10298HLS | Could be the Power Manager? Someone please confirm this. |- | <span style="color:#e8e838">Yellow</span> | | | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | CPU | Samsung S5L8723 | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source] |- | <span style="color:#cf5eea">Pink</span> | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.<br /> The red and black cables lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 Reviews: *http://arstechnica.com/apple/reviews/2010/09/6th-generation-ipod-nano.ars dccea40f285887a20420969d3d004e4daf6683b8 0 54 3179 2995 2010-09-09T14:20:01Z Wolftail 138 added the new nano 6g to the list wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G]] |? |? |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: *If you can prove or disprove any of these chip names, please let us know on the mailing list. *The sources for the original and annotated PCB scans can found at http://l4n.clustur.com/data/board_imgs. ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx f89132af04ee73c2433c07b4b7c0f48242fcbf86 3180 3179 2010-09-09T14:23:08Z Wolftail 138 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G|"Nano" 6G]] |? |? |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: *If you can prove or disprove any of these chip names, please let us know on the mailing list. *The sources for the original and annotated PCB scans can found at http://l4n.clustur.com/data/board_imgs. ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 8377e51c6c0718e2e55a56a512428ecd35c8ca9c 3183 3180 2010-09-09T19:36:32Z User890104 124 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G|"Nano" 6G]] |S5L8723 |? |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: *If you can prove or disprove any of these chip names, please let us know on the mailing list. *The sources for the original and annotated PCB scans can found at http://l4n.clustur.com/data/board_imgs. ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx e8b3bdd2efa082d95e2fb10f79e9dafcb9c2e5d9 0 146 3189 2724 2010-10-01T13:30:27Z TheSeven 13 wikitext text/x-wiki Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have its non-neglegible bootup times. The Rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable. iLoader only works on the 2G Nano, as this is the only iPod we've figured out the FTL for. For installation instructions, see the [http://theseven.freemyipod.org/iloader iLoader homepage]. e70dbef4a8aa6a65a3a99c3b0bae90e06c92286e 0 65 3190 3003 2010-10-07T18:38:00Z Benedikt93 145 wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | 5 GB or 10 GB | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | 10 GB or 20 GB | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | 20 GB or 40 GB | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | 20 GB, 30 GB, or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | 30 GB or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | 30 GB or 80 GB | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | 80 GB or 160 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | 120 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | 160 GB | |} ==iPod Nano Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | 1 GB, 2 GB, or 4 GB | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | 2 GB, 4 GB, or 8 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | 4 GB or 8 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | 8 GB or 16 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | 8 GB or 16 GB | |- | Nano 6G | 2010-09 | 8 GB or 16 GB | Multi-Touch display |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. ==Helpful Pages== http://support.apple.com/kb/HT1353 0a19d20389c1e158776dfedf042f51f78a2e8013 0 259 3191 3067 2010-10-08T20:13:04Z Benedikt93 145 wikitext text/x-wiki There are various ways to contact the freemyipod team. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod === This channel is for anything related to the project. This may be development related, but can also be a simple question to something. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod] === #freemyipod-support === This is our support channel. If you have questions or problems concerning our software, this is the place to ask. You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support] === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter] == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. a8536612131ec970759d1683edf2ff39206e8fcc 0 255 3195 3097 2010-10-17T19:25:41Z Benedikt93 145 wikitext text/x-wiki The datasheet for the S5L8700X was found [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here]. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version. ==Helpful pages== http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html edf4c2364768cc4a6cc1cf9e4ac0c482f7c60ad9 1 277 3196 2010-10-23T23:28:05Z DaUnion 154 Question wikitext text/x-wiki Have you people tried using the usb_control_msg(0xA1, 1) on the Nano 5G? from the ipod touch? [http://theiphonewiki.com/wiki/index.php?title=Usb_control_msg%280xA1%2C_1%29_Exploit here] 23:28, 23 October 2010 (UTC) 6f095c139626b80023d9918f70ff6a64cc9f0501 3197 3196 2010-10-24T17:38:06Z Benedikt93 145 wikitext text/x-wiki Have you people tried using the usb_control_msg(0xA1, 1) on the Nano 5G? from the ipod touch? [http://theiphonewiki.com/wiki/index.php?title=Usb_control_msg%280xA1%2C_1%29_Exploit here] 23:28, 23 October 2010 (UTC) :I passed this to discussion on IRC, maybe someone will check this (I don't have a Nano 5G myself). Though, the Nano 5G uses a newer processor than the Touch 2G, so the code leading to this exploit might have changed. --[[User:Benedikt93|Benedikt93]] 17:38, 24 October 2010 (UTC) cf9f04e1b55e9e2f06598be86231f194419dc52d 1 277 3198 3197 2010-10-26T01:51:25Z DaUnion 154 another question wikitext text/x-wiki Have you people tried using the usb_control_msg(0xA1, 1) on the Nano 5G? from the ipod touch? [http://theiphonewiki.com/wiki/index.php?title=Usb_control_msg%280xA1%2C_1%29_Exploit here] 23:28, 23 October 2010 (UTC) :I passed this to discussion on IRC, maybe someone will check this (I don't have a Nano 5G myself). Though, the Nano 5G uses a newer processor than the Touch 2G, so the code leading to this exploit might have changed. --[[User:Benedikt93|Benedikt93]] 17:38, 24 October 2010 (UTC) ::Someone can also check out the new bootrom exploit Geohot released and see if it works on the Nanos. 01:51, 26 October 2010 (UTC)~ 81085de2ddddd5a66e2070c78b53ff9cc51245c1 3199 3198 2010-10-26T01:52:38Z DaUnion 154 Fixed formatting wikitext text/x-wiki Have you people tried using the usb_control_msg(0xA1, 1) on the Nano 5G? from the ipod touch? [http://theiphonewiki.com/wiki/index.php?title=Usb_control_msg%280xA1%2C_1%29_Exploit here] 23:28, 23 October 2010 (UTC) :I passed this to discussion on IRC, maybe someone will check this (I don't have a Nano 5G myself). Though, the Nano 5G uses a newer processor than the Touch 2G, so the code leading to this exploit might have changed. --[[User:Benedikt93|Benedikt93]] 17:38, 24 October 2010 (UTC) ::Someone can also check out the new bootrom exploit Geohot released and see if it works on the Nanos. [[User:DaUnion|DaUnion]] 01:51, 26 October 2010 (UTC) 005f508c7ab7321313402f6674bd0d5ce624cb9c 3200 3199 2010-10-26T16:20:16Z Benedikt93 145 wikitext text/x-wiki Have you people tried using the usb_control_msg(0xA1, 1) on the Nano 5G? from the ipod touch? [http://theiphonewiki.com/wiki/index.php?title=Usb_control_msg%280xA1%2C_1%29_Exploit here] 23:28, 23 October 2010 (UTC) :I passed this to discussion on IRC, maybe someone will check this (I don't have a Nano 5G myself). Though, the Nano 5G uses a newer processor than the Touch 2G, so the code leading to this exploit might have changed. --[[User:Benedikt93|Benedikt93]] 17:38, 24 October 2010 (UTC) ::Someone can also check out the new bootrom exploit Geohot released and see if it works on the Nanos. [[User:DaUnion|DaUnion]] 01:51, 26 October 2010 (UTC) :::AFAIK, [[User:TheSeven|TheSeven]] had the intention to do so, but I don't know if he already did so. --[[User:Benedikt93|Benedikt93]] 16:20, 26 October 2010 (UTC) b7e6865cf156d46878b6696c4601cd24282a6afc 0 258 3202 3146 2010-11-01T17:04:57Z TheSeven 13 wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} d03507cf7645d42df8588718eff7050786b533e0 3205 3202 2010-11-10T06:56:23Z TheSeven 13 Reverted edits by [[Special:Contributions/TheSeven|TheSeven]] ([[User talk:TheSeven|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 8a99b8d52544a6458abc10eed6db94af7c7a0d76 3206 3205 2010-11-10T06:57:08Z TheSeven 13 Oops, that was too much. wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} b42c158870741371237586cda84f0bf224c7671d 3251 3206 2010-11-23T23:02:58Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ehyloxame.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= ---- =[http://ehyloxame.co.cc CLICK HERE]= ---- </div> This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 83a5b2fddf06ccaef24cbbe0ded943edbf930934 0 267 3203 3147 2010-11-02T06:48:59Z Farthen 28 wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here]. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. Here are the basic steps to compiling emBIOS for your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver] * If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix. So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do: <code>CROSS=arm-elf-eabi- make ipodnano2g</code> ==Using== To communicate with emBIOS use the embios.py python script in the [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/trunk/tools/ /embios/trunk/tools] folder of our SVN. You need to have libusb, python and pyusb 1.x for this to work. Simply run embios,py without any arguments to get a list of possible commands. You can upload and download from/to the memory, read the i2c bus, run emBIOS applications or complete firmware files and much more. Just try it out! 7a926949e8655ad7f8d7e798184f9dd41fb89526 3204 3203 2010-11-02T06:49:14Z Farthen 28 wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here]. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. Here are the basic steps to compiling emBIOS for your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver] * If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix. So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do: <code>CROSS=arm-elf-eabi- make ipodnano2g</code> ==Using== To communicate with emBIOS use the embios.py python script in the [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/trunk/tools/ /embios/trunk/tools] folder of our SVN. You need to have libusb, python and pyusb 1.x for this to work. Simply run embios,py without any arguments to get a list of possible commands. You can upload and download from/to the memory, read the i2c bus, run emBIOS applications or complete firmware files and much more. Just try it out! 41afbbeb0a48956a8944f2736ae9997226623e8e 3233 3204 2010-11-23T23:01:04Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ekygelymib.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]= ---- =[http://ekygelymib.co.cc CLICK HERE]= ---- </div> [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN [http://websvn.freemyipod.org/listing.php?repname=freemyipod&amp;path=/embios/ here]. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. Here are the basic steps to compiling emBIOS for your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver] * If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix. So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do: &lt;code>CROSS=arm-elf-eabi- make ipodnano2g&lt;/code> ==Using== To communicate with emBIOS use the embios.py python script in the [http://websvn.freemyipod.org/listing.php?repname=freemyipod&amp;path=/embios/trunk/tools/ /embios/trunk/tools] folder of our SVN. You need to have libusb, python and pyusb 1.x for this to work. Simply run embios,py without any arguments to get a list of possible commands. You can upload and download from/to the memory, read the i2c bus, run emBIOS applications or complete firmware files and much more. Just try it out! 279785313f280b065c605e9ec9da4686c5618b28 2 125 3207 2244 2010-11-10T07:11:34Z Farthen 28 wikitext text/x-wiki Just a quick summary of me: I am from Germany and I can speak Germany, English and some (really not so much) French. I am the webmaster and server admin of this project. If you notice that the server is doing weird things please tell me about it. I have programming experience in Python and AVR ASM and i already did some minor stuff in ARM ASM, C, PHP and bash. I have an iPod nano 4g, downgraded to 1.0.3 of course. I found out about this project at June 2009 and I built the first real [[Nanotron 3000]] and was also the one to find the return address of the [[Nano 4G]]. If you have questions to me, want to tell me that the irc bot is not behaving as it should or whatever: Just ask on the [[User_talk:Farthen|talk page]], on [[Contact|irc]] or through the [[Contact|mailing list]]. 8622edfa80dbf898bb8d85cbcd398b730ff12ad7 3209 3207 2010-11-10T18:03:37Z Farthen 28 wikitext text/x-wiki Just a quick summary of me: I am from Germany and I can speak German, English and some (really not so much) French. I am the webmaster and server admin of this project. If you notice that the server is doing weird things please tell me about it. I have programming experience in Python and AVR ASM and i already did some minor stuff in ARM ASM, C, PHP and bash. I have an iPod nano 4g, downgraded to 1.0.3 of course. I found out about this project at June 2009 and I built the first real [[Nanotron 3000]] and was also the one to find the return address of the [[Nano 4G]]. If you have questions to me, want to tell me that the irc bot is not behaving as it should or whatever: Just ask on the [[User_talk:Farthen|talk page]], on [[Contact|irc]] or through the [[Contact|mailing list]]. 5400c1d29d6b400d7f33a2cd1581944bcbbaf753 0 259 3208 3191 2010-11-10T07:12:17Z Farthen 28 wikitext text/x-wiki There are various ways to contact the freemyipod team. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod === This channel is for anything related to the project. This may be development related, but can also be a simple question to something. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod] === #freemyipod-support === This is our support channel. If you have questions or problems concerning our software, this is the place to ask. You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support] === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter] == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. 1fa314c7422d1d522303c0e28728f7eb713a9526 3211 3208 2010-11-19T16:50:52Z Farthen 28 We don't want people asking about iOS devices in our channels wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod === This channel is for anything related to the project. This may be development related, but can also be a simple question to something. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod] === #freemyipod-support === This is our support channel. If you have questions or problems concerning our software, this is the place to ask. You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support] === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter] == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. 7dd2ea66a5e7c7c4e8b405d13d8f5270b0cf42ae 0 50 3210 3194 2010-11-19T16:46:48Z Farthen 28 We do NOT care about iOS devices wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} d55a60137c81c8887f387ad2c3b298024c6fe66c 0 121 3212 3162 2010-11-20T01:48:28Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:grey">'''Untested'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:grey">'''Untested'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''In progress'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> </references> a702fbab594002c8b7f1207ff665260e32940e55 3217 3212 2010-11-21T10:49:37Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:grey">'''Untested'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:grey">'''Untested'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:grey">'''Untested'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> </references> b7bef4e97cab7d65bc092c4eb5e98bcc3f417ffa 3218 3217 2010-11-21T10:50:37Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:grey">'''Untested'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:grey">'''Untested'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span> | <span style="color:grey">'''Untested'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> </references> 08df8bffa3143c59ff4c1bd33b0f6a7e0776567a 3219 3218 2010-11-21T10:52:25Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span><ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span><ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''</span><ref name="similar8702"/></span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span><ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span><ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''</span><ref name="similar8702"/></span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span><ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''</span><ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''</span><ref name="similar8702"/></span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> 12959047fa1e547268dcbeb52b748bc2e73828e9 3220 3219 2010-11-21T10:54:24Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> <ref name="lcdonly1tested">The code is complete, but was only tested on one of the LCD types that were used in this series yet.</ref> </references> 58b2a8b75316d29593798650837f97cca9d3b333 3225 3220 2010-11-22T18:51:00Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> <ref name="lcdonly1tested">The code is complete, but was only tested on one of the LCD types that were used in this series yet.</ref> </references> f3f3cc50a213a40cea224d1342b19701d860f358 3226 3225 2010-11-22T18:51:29Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> <ref name="lcdonly1tested">The code is complete, but was only tested on one of the LCD types that were used in this series yet.</ref> </references> fd13802874824f44d7ad040da716d61a2445fa22 3227 3226 2010-11-22T19:02:36Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> <ref name="lcdonly1tested">The code is complete, but was only tested on one of the LCD types that were used in this series yet.</ref> </references> 500ec814a970d43eb6dc056023dedec815a93e1d 0 54 3214 3183 2010-11-20T16:41:17Z TheSeven 13 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G|"Nano" 6G]] |S5L8723 |? |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: *If you can prove or disprove any of these chip names, please let us know on the mailing list. *The sources for the original and annotated PCB scans can found at http://l4n.clustur.com/data/board_imgs. ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 42968ac25b59b158195faf38690abc6d80e49b54 3238 3214 2010-11-23T23:01:18Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://itubibygucy.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://itubibygucy.co.cc CLICK HERE]= ---- </div> This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&amp;partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&amp;partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G|"Nano" 6G]] |S5L8723 |? |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: *If you can prove or disprove any of these chip names, please let us know on the mailing list. *The sources for the original and annotated PCB scans can found at http://l4n.clustur.com/data/board_imgs. ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx a5e65f2080d3d05bcf7dfe98102ab60ae9c8e44d 0 245 3215 3051 2010-11-20T16:42:41Z TheSeven 13 wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Terminology== By iPod classic 1g we mean the first iPod released by Apple that had the 'classic' name. It was available in sizes of 80GB and 160GB. ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | Cirrus | | |- | 1 | Power manager | NXP PCF50635 | APPLE, 338S0445, 2114.102, ZPD7383Y | |- | 6 | USB charging | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html c1cd317e8419fb77f8caa6771d5debf0f9750af8 3237 3215 2010-11-23T23:01:18Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://evicijum.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://evicijum.co.cc CLICK HERE]= ---- </div> [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Terminology== By iPod classic 1g we mean the first iPod released by Apple that had the 'classic' name. It was available in sizes of 80GB and 160GB. ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | Cirrus | | |- | 1 | Power manager | NXP PCF50635 | APPLE, 338S0445, 2114.102, ZPD7383Y | |- | 6 | USB charging | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html 5e1f772bf404b963ac8b7c756b7c1cbb6e5d0c3c 0 163 3216 2684 2010-11-20T23:10:29Z Farthen 28 wikitext text/x-wiki This is a simple guide to Firmware downgrading with iTunes 8+ without losing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== The 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] for the instructions above. 409dc404083a7fb77c310bda4269a897e527233c 3 280 3221 2010-11-21T19:29:16Z Psgarcha92 159 Created page with "is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod throug..." wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. a5c03c7135284a847a40360e802fd2dd7c6a0037 3224 3221 2010-11-22T18:22:21Z TheSeven 13 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) d9623f4502d3c9f8a5c8127e87210fd011074b5e 0 243 3223 3000 2010-11-22T18:20:24Z TheSeven 13 /* Components */ wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 97ceb2bfdfa1d2ccc1f6a38407bb0edf6044909b 0 193 3228 2977 2010-11-23T23:00:41Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ynodyky.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= ---- =[http://ynodyky.co.cc CLICK HERE]= ---- </div> The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i &lt; 0x1FE; i++) { *checksum1 += ((uint32_t*)(&amp;ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&amp;ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &amp;checksum1, &amp;checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 34df53d7b4e9f996d1971c7779995bb047af9878 0 201 3229 2949 2010-11-23T23:00:43Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://utugijynure.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://utugijynure.co.cc CLICK HERE]= ---- </div> ==GNU ARM toolchain== Working with the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ===Obtaining=== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ===Assembling=== &lt;pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin &lt;/pre> ===Disassembling=== &lt;pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm &lt;/pre> ==IDA Pro== ===Distributions=== ====IDA Pro 5.7 paid==== This is the best version if you can pay. One of the main advantages over its demo version is that you can save project files. ====IDA Pro 5.7 demo==== This is the best version if you don't want to pay. It can't save or open binary files, but there is a workaround to opening binaries. The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands: &lt;pre> arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-elf-objcopy --set-section-flags .data=code dump.elf &lt;/pre> ====IDA Pro 4.9 freeware==== This version is tempting to download but useless since it doesn't support ARM. ===Usage=== [[Image:ida_config.png|thumb]] #To create a new disassembly database, go to File->New... #Select "Binary/Raw File" under the "Various files" tab #Select the binary file you want to examine #Click next. You don't need the analysis options #The processor you should select is "ARM processors: ARM". Click next #Click finish. Now you are asked about memory mapping. To the right is an example for the 4G bootrom. Fill out the info and press OK. #IDA will now create the project file. Sometimes it freezes but if it does just try these steps again. There should be two popups concerning thumb mode and your program's entry point. Press OK for both of them. #Go to 0x02000000 and press 'C'. This tells IDA that this is code. All the other code should appear now. #You are good to go. Happy analyzing! ==Helpful pages== http://chdk.wikia.com/wiki/GPL_Disassembling http://www.dwelch.com/ipod/ 2793bbae6c75598b691e0f3e91c6278e571dfea7 0 89 3230 3077 2010-11-23T23:00:50Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ecacoraqosy.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://ecacoraqosy.co.cc CLICK HERE]= ---- </div> [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]] == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package: [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through: *a pad of the chip die *a bonding wire *the top layer of the substrate *a via *the bottom layer *finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made: *desoldering of the IC *removing of the balls and filler glue *X-ray picture *microscope picture of the bottom layer *removing the bottom layer and most of the substrate (by careful manual grinding) *microscope picture of the top layer *superposition of these views, and path finding from the die to the ball == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G HW analysis]] for further PCB analysis. cdba4c9edb16b5fdaa6061f125cc280a910e7569 0 66 3231 3170 2010-11-23T23:00:55Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://uxegyjyga.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= ---- =[http://uxegyjyga.co.cc CLICK HERE]= ---- </div> ==Background== Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory then the encrypted data is being sent. After the decryption process completes, the decrypted data is downloaded. ==ipodcrypt== The ipodcrypt utility has the following features: for [[Nano 2G]]: *encrypt/decrypt DFU image *encrypt/decrypt firmware file contents *encrypt/decrypt dump of NOR flash's contents for [[Nano 4G]]: *decrypt firmware file contents The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt. You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux. ==Prerequisites== ===Windows=== First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below) Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads You also need [http://pyusb.sourceforge.net/ pyUSB] - a Python module for communicating with USB devices. Its download page is: You can get it from the [http://sourceforge.net/projects/pyusb/files/ download page] or [http://developer.berlios.de/project/showfiles.php?group_id=4354 another mirror]. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver. '''Important note''': If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended. To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual. '''Important note 2''': You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions ===Linux=== Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with: &lt;pre> easy_install install pyusb &lt;/pre> Otherwise, you need to download it and install it manually as in the Windows instructions. To install libusb, you need to use your distribution's package management utility and look for libusb, then install it. ===Mac OS X=== (to be added later) ==Helpful pages== http://ipodlinux.org/wiki/Flash_Decryption http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ 73a9d87c9f9ddb6d6efafa834d55eb08ce20157a 0 52 3232 3115 2010-11-23T23:00:56Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ecacoraqosy.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://ecacoraqosy.co.cc CLICK HERE]= ---- </div> Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU |- | Nano 2G | ? | ? |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | 1261 | 1223 |- | Classic 2G | ? | ? |- | Classic 3G | 1261 | 1223 |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf dff018c6d8a8bfadf481ffdb82e30143f37408c2 0 57 3234 3142 2010-11-23T23:01:04Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://abaviteha.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= ---- =[http://abaviteha.co.cc CLICK HERE]= ---- </div> The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the freemyipod SVN at http://svn.freemyipod.org/tools/extract2g/. The Windows and the Linux versions can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: &lt;pre>extract2g -l dump.img&lt;/pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: &lt;pre>extract2g -A dump.img&lt;/pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw On Nano 4G, you should use the -4 or --4g-compat option in order to dump the correct data from the firmware. This option is considered as a workaround, because the Nano 4G firmwares are detected as Nano 3G's, but the offset is different. To list the files, type in: &lt;pre>extract2g -l -4 dump.img&lt;/pre> To extract all files, type in: &lt;pre>extract2g -A -4 dump.img&lt;/pre> You should now have 9 files: *appl.fw *bdhw.fw *bdsw.fw *chrg.fw *diag.fw *disk.fw *lbat.fw *osos.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: &lt;pre>extract2g - -help&lt;/pre> ===Removing header=== Also if you are using the osos.fw outputted by extract2g in iLoader you need to remove the 2 KiB header from it: &lt;pre>dd if=osos.fw of=osos.out bs=2048 skip=1&lt;/pre> Or alternatively, under Windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0x0 to 0x7FF, then delete this region and save. Then put osos.out into /iLoader/osos.fw ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 61c3a03c9d37502989c39709f5cbd7a02452531c 0 53 3235 3171 2010-11-23T23:01:06Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://esinyqynyso.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://esinyqynyso.co.cc CLICK HERE]= ---- </div> The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| class="wikitable" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| class="wikitable" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware http://www.trejan.com/projects/ipod/phobos.html#REGFIRMWARE 5637a8568f17f29d54c5eb7e3da700ac2fd8a5ae 0 276 3236 3185 2010-11-23T23:01:09Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://isiqilujev.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://isiqilujev.co.cc CLICK HERE]= ---- </div> [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | &lt;span style="color:red">Red&lt;/span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | &lt;span style="color:cyan">Cyan&lt;/span> | | | Apple 33850859 C0E111022 | |- | &lt;span style="color:orange">Orange&lt;/span> | | | Apple 338S0783-B1 10298HLS | Could be the Power Manager? Someone please confirm this. |- | &lt;span style="color:#e8e838">Yellow&lt;/span> | | | 0650 D0UY 027 | |- | &lt;span style="color:blue">Blue&lt;/span> | CPU | Samsung S5L8723 | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source] |- | &lt;span style="color:#cf5eea">Pink&lt;/span> | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.&lt;br /> The red and black cables lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 Reviews: *http://arstechnica.com/apple/reviews/2010/09/6th-generation-ipod-nano.ars 5b44c71c3b17b0a603084a09823b11ae286f52e5 0 146 3239 3189 2010-11-23T23:01:32Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ynodyky.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://ynodyky.co.cc CLICK HERE]= ---- </div> Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have its non-neglegible bootup times. The Rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable. iLoader only works on the 2G Nano, as this is the only iPod we've figured out the FTL for. For installation instructions, see the [http://theseven.freemyipod.org/iloader iLoader homepage]. b69c55487cd7454168a1ef9200b2db301bf95564 0 116 3240 3040 2010-11-23T23:01:35Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://imygijesusy.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://imygijesusy.co.cc CLICK HERE]= ---- </div> {{outdated|reason=Starting August 3, 2010, development of iBugger has stopped in favor of a more useful debugger in [[emBIOS]].}} [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger Loader releases for the 2G and 4G Nanos. 1189838fccfb25cdd7ca2e49073af7893105af13 0 256 3241 3023 2010-11-23T23:01:46Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ebytery.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://ebytery.co.cc CLICK HERE]= ---- </div> The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 5G]] since we have no means of execution on that device. If you do find such a bug, report it via private message on IRC to a main developer. DO NOT, I repeat, DO NOT, exclaim the bug to the world on a public IRC channel or mailing list. We made this mistake with the [[Notes vulnerability]]. As a result, Apple patched it on the [[Nano 4G]] and even patched the original firmware on the [[Nano 5G]] (thus making it impossible to downgrade to a vulnerable firmware). ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. Besides we already have a lot of [[Willing testers]] already. afcc09a47c07e85eb9d4193d026950b49c126d13 0 173 3243 3157 2010-11-23T23:02:01Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://yxylepo.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]= ---- =[http://yxylepo.co.cc CLICK HERE]= ---- </div> Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First install rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. (pressing the middle button in iLoader. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. == Several Notes == To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view. Your videos might take some time to convert. 5d2fdd94a742f55375efd18d7993d5494073c127 0 98 3244 2740 2010-11-23T23:02:06Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://abaviteha.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= ---- =[http://abaviteha.co.cc CLICK HERE]= ---- </div> === Basics === The notes functionality is basically a HTML browser included in the iPod. Some documentation about it can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are: * 64kB files are loaded just after the boot of the iPod, however they are not kept in RAM * each file is limited to 4kB * the links point to other files, notes, or media files. * the link is limited to 256 chars. Apple documents this limit, but they don't say it can cause a buffer overflow ;) There are many buffers scattered throughout the RAM: # Some are perfect copies of the disc file, including BOM, etc... These are the ideal buffers to jump to. # Some have UTF16 processing. These are a burden but can be worked around. # Some have UTF8 processing. These are virtually unusable. The main disadvantage to this vulnerability is that small buffers must be located in megabytes of RAM. The [[Pwnage 2.0]] vulnerability is now preferred since it does not have this disadvantage. === Dealing with UTF-16 === If jumping to a UTF16-processed buffer, the possible character sequences are limited. The best thing to have the most charset possibilities is to encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. The forbidden values in UTF16 are: * FE FF: UTF16 BOM * D8 00 up to DF FF: not checked what happens if inserting them * 00 00: would stop string processing The payload is placed in the body of the .htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 &lt; xx &lt;= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == (Credit for the exploit goes to [[Sto]]) To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, I had to place a second file to influence the buffer's location in order to have a return adress which conforms to UTF8 (no byte of the return address can be >7F). An example of a working overflow file set is [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. The file "Brokenlink.htm" begins with a UTF16 BOM, then "AA" as padding, then the overflowing link (the return address is 0x08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This "while(1);" does not freeze or reset the iPod, but instead just crashes the background task since interrupts are still enabled. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives at the notes payload in supervisor state, with interrupts activated (menu scrolling) and so on. Caches are also activated. Disabling them is recommended if you are performing complex IO &amp; DMA stuff because they can interfere. == Dumping memories == For dumping the iPod's memories, first the cache was used (JTAG dumps), but it turned out that the UART is more flexible. The dumps can't be published here, due to copyright issues. == UART == The UART is exactly the same as described in the datasheet (if one did indeed exist). See [http://pargon.nl/?p=6 this guide] for building a UART cable for the iPod dock connector. My complete setup is a little bit more complex: [[Image:Nanofighter.jpg|100px|thumb]] * left board: DLC5 JTAG interface, modified for reset and USB switching * right board: some programmer board, only the ST232 is used * upper board: this was the JTAG scanner, now only the power supply and 5V regulator are used * middle board: all the switching stuff To automatically enter DFU mode, I wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == USB was eventually figured out so we no longer needed the UART cables. 5bf2527c1bc009ad92822db7ca87ca82dcccb64c 0 261 3245 3033 2010-11-23T23:02:07Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://abigumydive.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://abigumydive.co.cc CLICK HERE]= ---- </div> We have a Subversion repository where we store our code for our software projects. == Builds == We have automatic builds of our software. Just head over to http://builds.freemyipod.org to download the build you want. == Websvn == If you just want to browse the SVN, go to http://websvn.freemyipod.org. == Checkout == If you want to checkout the repository, please use this url: http://svn.freemyipod.org == Commit == If you are a registered developer you need to use this url to checkout and commit: https://svn.freemyipod.org. You need to specify your username and password. 1b33b0981997701c0fe7c4421c66b8886db2ad06 0 122 3246 3154 2010-11-23T23:02:19Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://atosaca.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= ---- =[http://atosaca.co.cc CLICK HERE]= ---- </div> {{Outdated|reason=This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.}} The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the freemyipod team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze &amp; crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe &lt;sup>1&lt;/sup> |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} &lt;sup>1&lt;/sup> - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] ec2d0ab2d8cd9ab561052285e0fae464ae59add3 0 241 3247 3174 2010-11-23T23:02:29Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://uvetysudema.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://uvetysudema.co.cc CLICK HERE]= ---- </div> [[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 1 | CPU | Samsung S5L8701 |337S32918701, N042DQS, 0636 ARM | System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 176kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&amp;partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | 2 | SDRAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&amp;partnum=K4M56163PG Samsung K4M56163PG] |SEC 637 GG75, K4M56163PG, AQH373P1 | [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the [[Nano 1G]]. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | 3 | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A] |SST39WF800A, 90-4C-C2QE, 0631287-A | stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | N/A | DSP | N/A | N/A | Doesn't seem to be present at all. |- | B1 | NAND Flash | Varies |TOSHIBA P11023, JAPAN 0636 KAE, TP0560, TH58NVG5D4CTG20 | |- | 6 | USB charging | LTC4066 |Linear Technology, 6H, 4066, B8966 | |- | 5 | Audio codec | Wolfson WM8975 |APPLE, 338S0310, 68BTST8 | |- | 4 | Step down regulator | LM34910 |National Semiconductor, JM66RJ, L34910B | |- | B2 | Power manager (below) | NXP PCF50633UM |APPLE, 338S0261, P29T6 04, cPG0637Y, 01/N2 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&amp;topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf c61173e4b0eeaa5114ba574f5e6b07c36b8e8fb8 0 244 3248 3001 2010-11-23T23:02:31Z Owixyze 158 wikitext text/x-wiki =[http://ozoqemuvo.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | [http://www.st.com/stonline/products/literature/ds/15102/lis331dlm.htm LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 3df6a3f26a3833c52d17518d2f898531a93ab024 0 255 3249 3195 2010-11-23T23:02:50Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://uvetysudema.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://uvetysudema.co.cc CLICK HERE]= ---- </div> The datasheet for the S5L8700X was found [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here]. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&amp;partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version. ==Helpful pages== http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html 61b7230ee03935460cd802688954b3e82cb49e94 0 65 3252 3190 2010-11-23T23:03:18Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://exowufo.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]= ---- =[http://exowufo.co.cc CLICK HERE]= ---- </div> This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | 5 GB or 10 GB | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | 10 GB or 20 GB | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | 20 GB or 40 GB | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | 20 GB, 30 GB, or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | 30 GB or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | 30 GB or 80 GB | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | 80 GB or 160 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | 120 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | 160 GB | |} ==iPod Nano Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | 1 GB, 2 GB, or 4 GB | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | 2 GB, 4 GB, or 8 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | 4 GB or 8 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | 8 GB or 16 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | 8 GB or 16 GB | |- | Nano 6G | 2010-09 | 8 GB or 16 GB | Multi-Touch display |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. ==Helpful Pages== http://support.apple.com/kb/HT1353 6f8034c314c35dcf0521e8a319c7654db411a292 0 163 3253 3216 2010-11-23T23:03:50Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://uwujojedeh.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://uwujojedeh.co.cc CLICK HERE]= ---- </div> This is a simple guide to Firmware downgrading with iTunes 8+ without losing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== The 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] for the instructions above. 14815f6d33ac44650684600bf4399d02d91cbeef 3292 3253 2010-11-24T00:15:20Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki This is a simple guide to Firmware downgrading with iTunes 8+ without losing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!) First you need the correct firmware file. You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded. ==Firmware Files== The 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] for the instructions above. 409dc404083a7fb77c310bda4269a897e527233c 3 249 3255 2932 2010-11-23T23:03:58Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ukusypumi.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= ---- =[http://ukusypumi.co.cc CLICK HERE]= ---- </div> Hello,i write this to tell you that the no.5 chip on the nano4 board should be a display ic,i have removed this ic and the wires under it connects to the lcd jack..sorry for my poor english :Thanks for the correction. If you still have the iPod open, could you give me the markings on the #3 chip? I haven't found any scans that are detailed enough. [[User:cmwslw|cmwslw]] 0:17, 31 June 2010 (UTC) Hello,I checked the nano4 board again just now,and the wires under NO.5 connects both to LCD jack and Earphone jack..(I'm sure,they are not the GND pins,so maybe NO.5 is a multimedia chip?...) And...I can't find out the detail about NO.3 chip,it don't connect to LCD or earphone(maybe due to the broken board). I also took two photos(nano4 board with all chips removed),but the quality is low,the only camera i can use is 3GS... I have many broken ipod boards, if you have any problems about chips on them,send message to me~I can dump them and take photos... Here are the link: Board Back http://i3.6.cn/cvbnm/ce/c5/f6/01e1e35641a4b8fde7822545b20c6a5c.jpg Board Front http://i3.6.cn/cvbnm/46/be/95/bb99569adee431472c299026bd8a0136.jpg Dumped CPU http://i3.6.cn/cvbnm/c0/24/e3/fa8d051d5d2b1f50be46428010d73512.jpg a523951cf5f7fc24f366525607af6c216992b027 3290 3255 2010-11-24T00:15:17Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Sinless|Sinless]] wikitext text/x-wiki Hello,i write this to tell you that the no.5 chip on the nano4 board should be a display ic,i have removed this ic and the wires under it connects to the lcd jack..sorry for my poor english :Thanks for the correction. If you still have the iPod open, could you give me the markings on the #3 chip? I haven't found any scans that are detailed enough. [[User:cmwslw|cmwslw]] 0:17, 31 June 2010 (UTC) Hello,I checked the nano4 board again just now,and the wires under NO.5 connects both to LCD jack and Earphone jack..(I'm sure,they are not the GND pins,so maybe NO.5 is a multimedia chip?...) And...I can't find out the detail about NO.3 chip,it don't connect to LCD or earphone(maybe due to the broken board). I also took two photos(nano4 board with all chips removed),but the quality is low,the only camera i can use is 3GS... I have many broken ipod boards, if you have any problems about chips on them,send message to me~I can dump them and take photos... Here are the link: Board Back http://i3.6.cn/cvbnm/ce/c5/f6/01e1e35641a4b8fde7822545b20c6a5c.jpg Board Front http://i3.6.cn/cvbnm/46/be/95/bb99569adee431472c299026bd8a0136.jpg Dumped CPU http://i3.6.cn/cvbnm/c0/24/e3/fa8d051d5d2b1f50be46428010d73512.jpg 8c95982073537b349ff43b407af4bbb7470a6643 2 271 3256 3165 2010-11-23T23:04:06Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://eludevyvema.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= ---- =[http://eludevyvema.co.cc CLICK HERE]= ---- </div> Hey, there! My name is Lala Ionuț, I live in Romania and I own an iPod Classic 1G (160GB) and can't wait for Rockbox and/or iPodLinux to be available for it. I am willing to do non-destructive testing in order to help the project. 41d12b713047fd4f4a61f0c9fea9476fb61776bf 3289 3256 2010-11-24T00:15:16Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Wolftail|Wolftail]] wikitext text/x-wiki Hey, there! My name is Lala Ionuț, I live in Romania and I own an iPod Classic 1G (160GB) and can't wait for Rockbox and/or iPodLinux to be available for it. I am willing to do non-destructive testing in order to help the project. c6e0cdd2616c8e8d7600893f2e2778446d8cc57b 3 126 3258 1916 2010-11-23T23:04:11Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ekygelymib.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://ekygelymib.co.cc CLICK HERE]= ---- </div> Feel free to ask questions to me on this page. You can also contact me through mailinglist or irc, see my [[User:Farthen|user page]] for details. --[[User:Farthen|Farthen]] 01:46, 22 August 2009 (UTC) c90aa5eee3331d532fc26f1a9b2a0dfecaa5fb51 3287 3258 2010-11-24T00:15:13Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki Feel free to ask questions to me on this page. You can also contact me through mailinglist or irc, see my [[User:Farthen|user page]] for details. --[[User:Farthen|Farthen]] 01:46, 22 August 2009 (UTC) 537d8c31ee7362e0f9c1ca4facb6ddd76bba9471 0 94 3259 3155 2010-11-23T23:04:12Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://evicijum.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]= ---- =[http://evicijum.co.cc CLICK HERE]= ---- </div> [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Nano 2G]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Notes_exploit]] c8586a026ab741df21b122a6d17887061933a9df 3286 3259 2010-11-24T00:15:12Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki [[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]] [[File:Bot_annote.jpg|200px|thumb|Bottom layer]] [[File:2G_frt_annotation.png|300px]] [[File:2G_bck_annotation.png|300px]] == previous work == See [[Nano 2G]]. == SOC analysis == [[S5L8701_analysis]] == Circuit analysis == After desoldering all components, the circuit was analyzed with a continuity tester. Small test needles (nailbed needles are great) were used for contacting. For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad. Not all connection were routed, mainly the connections to the S5L8701 SOC. Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701] See also [[S5L8701_analysis]]. == JTAG == The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why). But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]]. The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. == JTAG cache dumps == As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. [http://f4eru.free.fr/8701/dump_example.txt Dump example] == getting code execution ? == [[Notes_exploit]] 7b9e35f6197ca39445753d5d177a515be146e733 0 240 3260 2996 2010-11-23T23:04:21Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://yzobiwysac.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://yzobiwysac.co.cc CLICK HERE]= ---- </div> [[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 4 | CPU | Portal Player PP5021C-TDF | PP5021C-TDF, L9A0633, U0530 Logo, WYH30113.1, TAIWAN | This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | 5 | SDRAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&amp;partnum=K4M56163PG Samsung K4M56163PG] | SEC534 BG75, K4M56163PG, AQF061WX | A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | 10 | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A] | SST39WF400A, 90-4C-C1QE, 0528149A | This chip is documented very well. A similar chip is on the [[Nano 2G]]. |- | 1 | NAND Flash | Varies | | |- | 2 | Click wheel controller | CY8C21434 | CPMCYP, 6360A 02, K0R0512, 610881 | |- | 3 | ATA flash disk controller | SST5SLD019K | Logo, 55LD019K, 45-C-MWE, 0528071-A4 | |- | 6 | Audio codec | WM8975G | WM8975G, 56AGVF4 | |- | 7 | Step down regulator | LM34910 | JM54RE, 34910SD | |- | 8 | Power manager | PCF50607 | CF50607, 605940, Bug528, 23e/N1Y | |- | 9 | USB charging | LTC4066 | Logo, 5F, 4066, N7537 | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed Other: *http://www.ipodlinux.org/wiki/Generations fe419c95d1686a0c32e4cbe305d8ac53f284f2b7 3285 3260 2010-11-24T00:15:11Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Cmwslw|Cmwslw]] wikitext text/x-wiki [[Image:nano_1g_frt_a.png|500px]] [[Image:nano_1g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 4 | CPU | Portal Player PP5021C-TDF | PP5021C-TDF, L9A0633, U0530 Logo, WYH30113.1, TAIWAN | This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it. |- | 5 | SDRAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] | SEC534 BG75, K4M56163PG, AQF061WX | A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here]. |- | 10 | Utility Flash | [http://www.sst.com/products/?inode=41856 SST39WF400A] | SST39WF400A, 90-4C-C1QE, 0528149A | This chip is documented very well. A similar chip is on the [[Nano 2G]]. |- | 1 | NAND Flash | Varies | | |- | 2 | Click wheel controller | CY8C21434 | CPMCYP, 6360A 02, K0R0512, 610881 | |- | 3 | ATA flash disk controller | SST5SLD019K | Logo, 55LD019K, 45-C-MWE, 0528071-A4 | |- | 6 | Audio codec | WM8975G | WM8975G, 56AGVF4 | |- | 7 | Step down regulator | LM34910 | JM54RE, 34910SD | |- | 8 | Power manager | PCF50607 | CF50607, 605940, Bug528, 23e/N1Y | |- | 9 | USB charging | LTC4066 | Logo, 5F, 4066, N7537 | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx Teardowns: *http://arstechnica.com/apple/reviews/2005/09/nano.ars/4 *[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board] *[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed Other: *http://www.ipodlinux.org/wiki/Generations 0760d3ed6421a86fc9c404917f5c838172eb7f8d 0 191 3262 2992 2010-11-23T23:04:32Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://utugijynure.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://utugijynure.co.cc CLICK HERE]= ---- </div> (State: When taking over from norboot, IIRC, needs verification. Beware: 1 = Masked, 0 = Running!) ===PWRCON=== {| class="wikitable" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| class="wikitable" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Clickwheel? |} 7906dcfd98cc77031fe2af0c671cf6e0e4b1fa3f 3283 3262 2010-11-24T00:15:09Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Cmwslw|Cmwslw]] wikitext text/x-wiki (State: When taking over from norboot, IIRC, needs verification. Beware: 1 = Masked, 0 = Running!) ===PWRCON=== {| class="wikitable" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | RTC? (Datasheet) |- | 21 | 0 | SDRAM? (Datasheet) |- | 20 | 0 | ECC (Datasheet mismatch, proven to be ECC) |- | 19 | 1 | ATA? (Datasheet) |- | 18 | 1 | LCD? (Datasheet) |- | 17 | 1 | DSP? (Datasheet) |- | 16 | 0 | USBHOST? (Datasheet) |- | | | |- | 15 | 0 | USBFUNC? (Datasheet) |- | 14 | 1 | USB PHY |- | 13 | 1 | RTC? (Datasheet) |- | 12 | 1 | CHIPID? (Datasheet) |- | 11 | 0 | GPIO? (Datasheet) |- | 10 | 0 | ADC? (Datasheet) |- | 09 | 1 | SPI? (Datasheet) |- | 08 | 1 | UART? (Datasheet) |- | | | |- | 07 | 1 | SPDIF? (Datasheet) |- | 06 | 0 | I2S (Datasheet, verified) |- | 05 | 0 | I2C (Datasheet, verified) |- | 04 | 0 | TIMER (Datasheet, verified) |- | 03 | 0 | MEMSTICK? (Datasheet) |- | 02 | 0 | SDC/MMC? (Datasheet) |- | 01 | 0 | FMC? (Datasheet) |- | 00 | 0 | LCDC? (Datasheet) |} ===PWRCONEXT=== {| class="wikitable" ! Bit !! State !! Meaning |- | 31 | 0 | Probably a padding bit |- | 30 | 0 | Probably a padding bit |- | 29 | 0 | Probably a padding bit |- | 28 | 0 | Probably a padding bit |- | 27 | 0 | Probably a padding bit |- | 26 | 0 | Probably a padding bit |- | 25 | 0 | Probably a padding bit |- | 24 | 0 | Probably a padding bit |- | | | |- | 23 | 0 | Probably a padding bit |- | 22 | 0 | Probably a padding bit |- | 21 | 0 | Probably a padding bit |- | 20 | 0 | Probably a padding bit |- | 19 | 0 | Probably a padding bit |- | 18 | 0 | Probably a padding bit |- | 17 | 0 | Probably a padding bit |- | 16 | 0 | Probably a padding bit |- | | | |- | 15 | 0 | Probably a padding bit |- | 14 | 0 | Probably a padding bit |- | 13 | 1 | Unknown |- | 12 | 0 | Unknown, but needs to be powered on |- | 11 | 1 | USB OTG |- | 10 | 1 | AES unit |- | 09 | 1 | Unknown |- | 08 | 1 | Unknown |- | | | |- | 07 | 0 | LCD SPI I/F |- | 06 | 0 | NAND/FMC |- | 05 | 1 | Unknown |- | 04 | 1 | Unknown |- | 03 | 1 | Unknown |- | 02 | 1 | Hashing unit |- | 01 | 1 | Unknown |- | 00 | 0 | Clickwheel? |} 73298e0391563549bdc5ac50fd8e319ebb1dd971 0 243 3263 3223 2010-11-23T23:04:38Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://yhenaju.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://yhenaju.co.cc CLICK HERE]= ---- </div> [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 9c5ee253f6a1d3133b26543870d036cb520172d8 3282 3263 2010-11-24T00:15:06Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:TheSeven|TheSeven]] wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 97ceb2bfdfa1d2ccc1f6a38407bb0edf6044909b 3 273 3264 3164 2010-11-23T23:04:51Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://azysijogen.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= ---- =[http://azysijogen.co.cc CLICK HERE]= ---- </div> PS: If anyone will read this... Is it possible to update the 1G Classic (160GB) to the 2.0.x firmware of the 2G/3G Classic? (I know that the hardware is almost a perfect match.) I think it could be done by getting an image of the HDD of an iPod Classic with the new software and overwrite it to the older one. Has anyone tried this? Can it be done? Thank You very much for all your work! :Yes, this should be possible and in fact we have done something similar with the 4G. One time we copied the contents of a 8GB Nano 4G and gave it to me to put on my 16GB Nano 4G. It booted fine. But the thing is the Classic 2G has some headphone hardware that the 1G does not, and this could cause a crash when booting or using. We are more interested in copying the Classic 2G firmware to the Classic 3G since the 3G ships with firmware that has the notes vulnerability patched. [[User:Cmwslw|Cmwslw]] 05:18, 16 August 2010 (UTC) Thanks for the quick reply! I know about the headphone difference but I still hope that those really tiny chips that are added on the motherboard of the Classic 2G aren't so important that the OS will crash without them. I believe that porting new features to iPods via the original firmware if possible should also be included in this wiki. I do also understand that porting Rockbox on the new iPods is of higher priority and just hope that someone will find some spare time for this. [[User:Wolftail|Wolftail]] 12:55, 16 August 2010 (UTC) 0e9611bc2646cea94abd8877cbbaaeccadeee755 3280 3264 2010-11-24T00:15:05Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Wolftail|Wolftail]] wikitext text/x-wiki PS: If anyone will read this... Is it possible to update the 1G Classic (160GB) to the 2.0.x firmware of the 2G/3G Classic? (I know that the hardware is almost a perfect match.) I think it could be done by getting an image of the HDD of an iPod Classic with the new software and overwrite it to the older one. Has anyone tried this? Can it be done? Thank You very much for all your work! :Yes, this should be possible and in fact we have done something similar with the 4G. One time we copied the contents of a 8GB Nano 4G and gave it to me to put on my 16GB Nano 4G. It booted fine. But the thing is the Classic 2G has some headphone hardware that the 1G does not, and this could cause a crash when booting or using. We are more interested in copying the Classic 2G firmware to the Classic 3G since the 3G ships with firmware that has the notes vulnerability patched. [[User:Cmwslw|Cmwslw]] 05:18, 16 August 2010 (UTC) Thanks for the quick reply! I know about the headphone difference but I still hope that those really tiny chips that are added on the motherboard of the Classic 2G aren't so important that the OS will crash without them. I believe that porting new features to iPods via the original firmware if possible should also be included in this wiki. I do also understand that porting Rockbox on the new iPods is of higher priority and just hope that someone will find some spare time for this. [[User:Wolftail|Wolftail]] 12:55, 16 August 2010 (UTC) 24b75360517cef3a2c19c8c900a7d0404492f88b 2 125 3265 3209 2010-11-23T23:05:00Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://egyworene.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://egyworene.co.cc CLICK HERE]= ---- </div> Just a quick summary of me: I am from Germany and I can speak German, English and some (really not so much) French. I am the webmaster and server admin of this project. If you notice that the server is doing weird things please tell me about it. I have programming experience in Python and AVR ASM and i already did some minor stuff in ARM ASM, C, PHP and bash. I have an iPod nano 4g, downgraded to 1.0.3 of course. I found out about this project at June 2009 and I built the first real [[Nanotron 3000]] and was also the one to find the return address of the [[Nano 4G]]. If you have questions to me, want to tell me that the irc bot is not behaving as it should or whatever: Just ask on the [[User_talk:Farthen|talk page]], on [[Contact|irc]] or through the [[Contact|mailing list]]. 214ade4e7bf6beed24a14768f909af2fc940fb7f 3281 3265 2010-11-24T00:15:05Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki Just a quick summary of me: I am from Germany and I can speak German, English and some (really not so much) French. I am the webmaster and server admin of this project. If you notice that the server is doing weird things please tell me about it. I have programming experience in Python and AVR ASM and i already did some minor stuff in ARM ASM, C, PHP and bash. I have an iPod nano 4g, downgraded to 1.0.3 of course. I found out about this project at June 2009 and I built the first real [[Nanotron 3000]] and was also the one to find the return address of the [[Nano 4G]]. If you have questions to me, want to tell me that the irc bot is not behaving as it should or whatever: Just ask on the [[User_talk:Farthen|talk page]], on [[Contact|irc]] or through the [[Contact|mailing list]]. 5400c1d29d6b400d7f33a2cd1581944bcbbaf753 0 56 3266 3120 2010-11-23T23:05:02Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://evicijum.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]= ---- =[http://evicijum.co.cc CLICK HERE]= ---- </div> This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the Nano 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image ** ''chrg'' - Same as lbat but showing that the iPod is charging ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 8f415e096e6d1e6375ef013c7fe531a9e1684695 3279 3266 2010-11-24T00:15:02Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Wolftail|Wolftail]] wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the Nano 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image ** ''chrg'' - Same as lbat but showing that the iPod is charging ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 223a4b6ae303fbb0378640e94e9b61aa71ee5043 2 77 3267 1651 2010-11-23T23:05:11Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://aluxyxenud.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://aluxyxenud.co.cc CLICK HERE]= ---- </div> == ToDo == # http://www.mobilehandsetdesignline.com/197800854 # [[Talk:Bootstrapping sequence]], [[Talk:Firmware encryption]], 2G CPU of [[Hardware]] # Look over chronicdev wiki # Add DFU mode info (dfu-utils, Hardware manager) # Info about snooping RAM (FPGA, davidc) # Add info about bootrom and datasheet http://nxtpp.clustur.com/index.php?title=Bootstrapping_sequence&amp;oldid=1630 http://nxtpp.clustur.com/index.php/Hardware 68f28f0e2543090a19694a1fe3945e9391f0b70d 3278 3267 2010-11-24T00:15:02Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Cmwslw|Cmwslw]] wikitext text/x-wiki == ToDo == # http://www.mobilehandsetdesignline.com/197800854 # [[Talk:Bootstrapping sequence]], [[Talk:Firmware encryption]], 2G CPU of [[Hardware]] # Look over chronicdev wiki # Add DFU mode info (dfu-utils, Hardware manager) # Info about snooping RAM (FPGA, davidc) # Add info about bootrom and datasheet http://nxtpp.clustur.com/index.php?title=Bootstrapping_sequence&oldid=1630 http://nxtpp.clustur.com/index.php/Hardware 20efcc53ffa61be5aad619cdfe032d3dedaca2f5 0 242 3268 2999 2010-11-23T23:05:13Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://aduratutuz.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://aduratutuz.co.cc CLICK HERE]= ---- </div> [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8702 | 337S3473 8702, NONBWOEC, 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | 3 | SDRAM | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 | 0728, C, HYE18M256, 169CX75, W3338092 | SDRAM - Mobile DDR, 256Mb, 1.8V. WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | V80B, 729379 | Flash - NOR, 8Mb, Serial SPI |- | 6 | NAND Flash | Varies | Samsung 728, K9HCG08U5M, PCB0, FCF285X1 | |- | 1 | Audio codec | WM1870 | APPLE, 338S0462, 76BZKTM | |- | 4 | Power manager | D1671B | 338S0408, 07258HAH | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] 028d2d77270c71cee678a0fc5f99d9069ba64323 3277 3268 2010-11-24T00:15:00Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Cmwslw|Cmwslw]] wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8702 | 337S3473 8702, NONBWOEC, 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | 3 | SDRAM | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 | 0728, C, HYE18M256, 169CX75, W3338092 | SDRAM - Mobile DDR, 256Mb, 1.8V. WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | V80B, 729379 | Flash - NOR, 8Mb, Serial SPI |- | 6 | NAND Flash | Varies | Samsung 728, K9HCG08U5M, PCB0, FCF285X1 | |- | 1 | Audio codec | WM1870 | APPLE, 338S0462, 76BZKTM | |- | 4 | Power manager | D1671B | 338S0408, 07258HAH | |} ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] 70185320d265629e06852d1acfadf6e057ea4eea 1 83 3269 1656 2010-11-23T23:05:24Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://ehiqikag.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= ---- =[http://ehiqikag.co.cc CLICK HERE]= ---- </div> http://www.13354833.cn/bbs/attachment.php?aid=287&amp;k=b8f98b64946025a383279e6ec475212f&amp;t=1223688783 Meizu S5L8700 connection shematics. Seems to be really close to actual layout... Or maybe its not. 36e0e71857a4cd9ab15c914d9ad139fe7b6fc63a 3276 3269 2010-11-24T00:14:59Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:A W|A W]] wikitext text/x-wiki http://www.13354833.cn/bbs/attachment.php?aid=287&k=b8f98b64946025a383279e6ec475212f&t=1223688783 Meizu S5L8700 connection shematics. Seems to be really close to actual layout... Or maybe its not. b8ae5ae76c2f2ba78af1f1354d722ccccfdbbc83 0 247 3270 3053 2010-11-23T23:05:25Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://otyxemydu.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://otyxemydu.co.cc CLICK HERE]= ---- </div> No teardown pictures of the Classic 3G have been found yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ a basic guide of the non-electronic differences] by iLounge. Since the model number is the same as the [[Classic 2G]], there probably aren't any worthwhile (if any) in the hardware. ==Terminology== By iPod classic 3g we mean the re-introduced 160GB version of the classic which was announced on September 9 2009. It is the same size as the [[Classic 2G]]. f109b4cf68a81dd9082d55cae5bb0dfb204b6ada 3275 3270 2010-11-24T00:14:58Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki No teardown pictures of the Classic 3G have been found yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ a basic guide of the non-electronic differences] by iLounge. Since the model number is the same as the [[Classic 2G]], there probably aren't any worthwhile (if any) in the hardware. ==Terminology== By iPod classic 3g we mean the re-introduced 160GB version of the classic which was announced on September 9 2009. It is the same size as the [[Classic 2G]]. bef095645c407b7f49a1acf70fae7b27ebec8707 0 246 3272 3052 2010-11-23T23:05:49Z Owixyze 158 wikitext text/x-wiki ---- <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> ---- =[http://efowozodije.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]= ---- =[http://efowozodije.co.cc CLICK HERE]= ---- </div> [[Image:classic_2g_frt_a.jpg|500px]] [[Image:classic_2g_bck_a.png|500px]] ==Terminology== By iPod classic 2g we mean the second iPod with the 'classic' name. It was smaller than the 160GB version of the [[Classic_1G|Classic 1g]] and was only available with 120GB storage. ==Components== Almost exactly the same hardware as the [[Classic 1G]], except that region A is populated. This presumably communicates with the new headphone/remote that Apple chose for this device to support. ==Helpful pages== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&amp;fcPath=1&amp;zenid=19755464b2fde0cb4f7a8877cfa6649c 0b43a1caf32ded76c8774d9489ac22c2d4e73b38 3273 3272 2010-11-24T00:11:55Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki [[Image:classic_2g_frt_a.jpg|500px]] [[Image:classic_2g_bck_a.png|500px]] ==Terminology== By iPod classic 2g we mean the second iPod with the 'classic' name. It was smaller than the 160GB version of the [[Classic_1G|Classic 1g]] and was only available with 120GB storage. ==Components== Almost exactly the same hardware as the [[Classic 1G]], except that region A is populated. This presumably communicates with the new headphone/remote that Apple chose for this device to support. ==Helpful pages== Teardowns: *http://www.chinaveboss.com/faq_info.html?faqs_id=53&fcPath=1&zenid=19755464b2fde0cb4f7a8877cfa6649c c20fb43c206ec2c9022e7abe71f3a14f8a0d40ad 0 65 3293 3252 2010-11-24T00:15:21Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Benedikt93|Benedikt93]] wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | 5 GB or 10 GB | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | 10 GB or 20 GB | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | 20 GB or 40 GB | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | 20 GB, 30 GB, or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | 30 GB or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | 30 GB or 80 GB | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | 80 GB or 160 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | 120 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | 160 GB | |} ==iPod Nano Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | 1 GB, 2 GB, or 4 GB | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | 2 GB, 4 GB, or 8 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | 4 GB or 8 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | 8 GB or 16 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | 8 GB or 16 GB | |- | Nano 6G | 2010-09 | 8 GB or 16 GB | Multi-Touch display |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. ==Helpful Pages== http://support.apple.com/kb/HT1353 0a19d20389c1e158776dfedf042f51f78a2e8013 0 258 3294 3251 2010-11-24T00:15:22Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:TheSeven|TheSeven]] wikitext text/x-wiki This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} b42c158870741371237586cda84f0bf224c7671d 0 255 3296 3249 2010-11-24T00:15:25Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Benedikt93|Benedikt93]] wikitext text/x-wiki The datasheet for the S5L8700X was found [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here]. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version. ==Helpful pages== http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html edf4c2364768cc4a6cc1cf9e4ac0c482f7c60ad9 0 244 3297 3248 2010-11-24T00:15:26Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Cmwslw|Cmwslw]] wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | [http://www.st.com/stonline/products/literature/ds/15102/lis331dlm.htm LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 ffacbd18f9b8020761a45e8694c6d0384c5af6a8 0 241 3298 3247 2010-11-24T00:15:28Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:TheSeven|TheSeven]] wikitext text/x-wiki [[Image:nano_2g_frt_a.jpg|300px]] [[Image:nano_2g_bck_a.jpg|300px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 1 | CPU | Samsung S5L8701 |337S32918701, N042DQS, 0636 ARM | System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 176kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701. |- | 2 | SDRAM | [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG Samsung K4M56163PG] |SEC 637 GG75, K4M56163PG, AQH373P1 | [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the [[Nano 1G]]. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead. |- | 3 | Utility Flash | [http://www.sst.com/products/?inode=41422 SST39WF800A] |SST39WF800A, 90-4C-C2QE, 0631287-A | stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on. |- | N/A | DSP | N/A | N/A | Doesn't seem to be present at all. |- | B1 | NAND Flash | Varies |TOSHIBA P11023, JAPAN 0636 KAE, TP0560, TH58NVG5D4CTG20 | |- | 6 | USB charging | LTC4066 |Linear Technology, 6H, 4066, B8966 | |- | 5 | Audio codec | Wolfson WM8975 |APPLE, 338S0310, 68BTST8 | |- | 4 | Step down regulator | LM34910 |National Semiconductor, JM66RJ, L34910B | |- | B2 | Power manager (below) | NXP PCF50633UM |APPLE, 338S0261, P29T6 04, cPG0637Y, 01/N2 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1 *http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4 *http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager) *http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&topic=6518.msg62700#msg62700 (beautiful PCB scans) Other: *http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf 3e2d3267fc0c3809cd906f2d4292d92f85ec175e 0 122 3299 3246 2010-11-24T00:15:30Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki {{Outdated|reason=This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.}} The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the freemyipod team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] c416d330e68fe70459e474d1478876831ddd5883 0 261 3300 3245 2010-11-24T00:15:33Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki We have a Subversion repository where we store our code for our software projects. == Builds == We have automatic builds of our software. Just head over to http://builds.freemyipod.org to download the build you want. == Websvn == If you just want to browse the SVN, go to http://websvn.freemyipod.org. == Checkout == If you want to checkout the repository, please use this url: http://svn.freemyipod.org == Commit == If you are a registered developer you need to use this url to checkout and commit: https://svn.freemyipod.org. You need to specify your username and password. 094bac4420cd36eb9d39f3839574c0860ba9eddf 0 98 3301 3244 2010-11-24T00:15:34Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Cmwslw|Cmwslw]] wikitext text/x-wiki === Basics === The notes functionality is basically a HTML browser included in the iPod. Some documentation about it can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here]. Basic rules are: * 64kB files are loaded just after the boot of the iPod, however they are not kept in RAM * each file is limited to 4kB * the links point to other files, notes, or media files. * the link is limited to 256 chars. Apple documents this limit, but they don't say it can cause a buffer overflow ;) There are many buffers scattered throughout the RAM: # Some are perfect copies of the disc file, including BOM, etc... These are the ideal buffers to jump to. # Some have UTF16 processing. These are a burden but can be worked around. # Some have UTF8 processing. These are virtually unusable. The main disadvantage to this vulnerability is that small buffers must be located in megabytes of RAM. The [[Pwnage 2.0]] vulnerability is now preferred since it does not have this disadvantage. === Dealing with UTF-16 === If jumping to a UTF16-processed buffer, the possible character sequences are limited. The best thing to have the most charset possibilities is to encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16]. The forbidden values in UTF16 are: * FE FF: UTF16 BOM * D8 00 up to DF FF: not checked what happens if inserting them * 00 00: would stop string processing The payload is placed in the body of the .htm file. === Link overflow === After loading the file, the links are then checked against the file system. Many modified copies of this string are present on the stack. We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different): *Fist, the link is extracted from the file, and copied to some heap or fixed buffers *The link is converted to UTF8. Every char >7F is encoded in many bytes *Then it is passed through an uppercase function *The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like) *Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress. For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again) == Exploiting, getting execution == (Credit for the exploit goes to [[Sto]]) To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers. In my case, I had to place a second file to influence the buffer's location in order to have a return adress which conforms to UTF8 (no byte of the return address can be >7F). An example of a working overflow file set is [http://f4eru.free.fr/8701/Notes_overflow_example.zip here]. The file "Brokenlink.htm" begins with a UTF16 BOM, then "AA" as padding, then the overflowing link (the return address is 0x08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);" This "while(1);" does not freeze or reset the iPod, but instead just crashes the background task since interrupts are still enabled. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc... The processor arrives at the notes payload in supervisor state, with interrupts activated (menu scrolling) and so on. Caches are also activated. Disabling them is recommended if you are performing complex IO & DMA stuff because they can interfere. == Dumping memories == For dumping the iPod's memories, first the cache was used (JTAG dumps), but it turned out that the UART is more flexible. The dumps can't be published here, due to copyright issues. == UART == The UART is exactly the same as described in the datasheet (if one did indeed exist). See [http://pargon.nl/?p=6 this guide] for building a UART cable for the iPod dock connector. My complete setup is a little bit more complex: [[Image:Nanofighter.jpg|100px|thumb]] * left board: DLC5 JTAG interface, modified for reset and USB switching * right board: some programmer board, only the ST232 is used * upper board: this was the JTAG scanner, now only the power supply and 5V regulator are used * middle board: all the switching stuff To automatically enter DFU mode, I wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel. == USB == USB was eventually figured out so we no longer needed the UART cables. 93398ce58c825bf7723652ae5c03dbc50cd07933 0 173 3302 3243 2010-11-24T00:15:35Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First install rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. (pressing the middle button in iLoader. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. == Several Notes == To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view. Your videos might take some time to convert. 637f1fecc840ee9fdcb118602c0d0ca42effd836 0 256 3304 3241 2010-11-24T00:15:40Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 5G]] since we have no means of execution on that device. If you do find such a bug, report it via private message on IRC to a main developer. DO NOT, I repeat, DO NOT, exclaim the bug to the world on a public IRC channel or mailing list. We made this mistake with the [[Notes vulnerability]]. As a result, Apple patched it on the [[Nano 4G]] and even patched the original firmware on the [[Nano 5G]] (thus making it impossible to downgrade to a vulnerable firmware). ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. Besides we already have a lot of [[Willing testers]] already. 34efd0808e42775a8ccdfb60f81a5a5d74125112 0 116 3305 3240 2010-11-24T00:15:41Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki {{outdated|reason=Starting August 3, 2010, development of iBugger has stopped in favor of a more useful debugger in [[emBIOS]].}} [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger Loader releases for the 2G and 4G Nanos. fc69a05cc61e520e115325573ecd7b1ebebbcb3c 0 146 3306 3239 2010-11-24T00:15:42Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:TheSeven|TheSeven]] wikitext text/x-wiki Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have its non-neglegible bootup times. The Rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable. iLoader only works on the 2G Nano, as this is the only iPod we've figured out the FTL for. For installation instructions, see the [http://theseven.freemyipod.org/iloader iLoader homepage]. e70dbef4a8aa6a65a3a99c3b0bae90e06c92286e 0 54 3307 3238 2010-11-24T00:15:44Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:TheSeven|TheSeven]] wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G|"Nano" 6G]] |S5L8723 |? |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: *If you can prove or disprove any of these chip names, please let us know on the mailing list. *The sources for the original and annotated PCB scans can found at http://l4n.clustur.com/data/board_imgs. ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 42968ac25b59b158195faf38690abc6d80e49b54 0 245 3308 3237 2010-11-24T00:15:46Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:TheSeven|TheSeven]] wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Terminology== By iPod classic 1g we mean the first iPod released by Apple that had the 'classic' name. It was available in sizes of 80GB and 160GB. ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | Cirrus | | |- | 1 | Power manager | NXP PCF50635 | APPLE, 338S0445, 2114.102, ZPD7383Y | |- | 6 | USB charging | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html c1cd317e8419fb77f8caa6771d5debf0f9750af8 0 276 3309 3236 2010-11-24T00:15:48Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Wolftail|Wolftail]] wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | | | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | | | Apple 338S0783-B1 10298HLS | Could be the Power Manager? Someone please confirm this. |- | <span style="color:#e8e838">Yellow</span> | | | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | CPU | Samsung S5L8723 | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source] |- | <span style="color:#cf5eea">Pink</span> | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.<br /> The red and black cables lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 Reviews: *http://arstechnica.com/apple/reviews/2010/09/6th-generation-ipod-nano.ars dccea40f285887a20420969d3d004e4daf6683b8 0 53 3310 3235 2010-11-24T00:15:50Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:User890104|User890104]] wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| class="wikitable" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| class="wikitable" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware http://www.trejan.com/projects/ipod/phobos.html#REGFIRMWARE d2dfc69de8cab26ba6a54e01a0bfaa1453532c57 0 57 3311 3234 2010-11-24T00:15:52Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:User890104|User890104]] wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the freemyipod SVN at http://svn.freemyipod.org/tools/extract2g/. The Windows and the Linux versions can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw On Nano 4G, you should use the -4 or --4g-compat option in order to dump the correct data from the firmware. This option is considered as a workaround, because the Nano 4G firmwares are detected as Nano 3G's, but the offset is different. To list the files, type in: <pre>extract2g -l -4 dump.img</pre> To extract all files, type in: <pre>extract2g -A -4 dump.img</pre> You should now have 9 files: *appl.fw *bdhw.fw *bdsw.fw *chrg.fw *diag.fw *disk.fw *lbat.fw *osos.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ===Removing header=== Also if you are using the osos.fw outputted by extract2g in iLoader you need to remove the 2 KiB header from it: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Or alternatively, under Windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0x0 to 0x7FF, then delete this region and save. Then put osos.out into /iLoader/osos.fw ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 18346efffa6fe95af0d62a7f3c0a65fa49135ac2 0 267 3312 3233 2010-11-24T00:15:54Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Farthen|Farthen]] wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. If you're curious about how emBIOS works, you can browse it's SVN [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here]. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. Here are the basic steps to compiling emBIOS for your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver] * If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix. So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do: <code>CROSS=arm-elf-eabi- make ipodnano2g</code> ==Using== To communicate with emBIOS use the embios.py python script in the [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/trunk/tools/ /embios/trunk/tools] folder of our SVN. You need to have libusb, python and pyusb 1.x for this to work. Simply run embios,py without any arguments to get a list of possible commands. You can upload and download from/to the memory, read the i2c bus, run emBIOS applications or complete firmware files and much more. Just try it out! 41afbbeb0a48956a8944f2736ae9997226623e8e 0 52 3313 3232 2010-11-24T00:15:56Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Myst|Myst]] wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU |- | Nano 2G | ? | ? |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | 1261 | 1223 |- | Classic 2G | ? | ? |- | Classic 3G | 1261 | 1223 |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf dafd80d5b1cc4620d081172a87632421871d06b8 0 66 3314 3231 2010-11-24T00:15:57Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Wolftail|Wolftail]] wikitext text/x-wiki ==Background== Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory then the encrypted data is being sent. After the decryption process completes, the decrypted data is downloaded. ==ipodcrypt== The ipodcrypt utility has the following features: for [[Nano 2G]]: *encrypt/decrypt DFU image *encrypt/decrypt firmware file contents *encrypt/decrypt dump of NOR flash's contents for [[Nano 4G]]: *decrypt firmware file contents The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt. You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux. ==Prerequisites== ===Windows=== First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below) Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads You also need [http://pyusb.sourceforge.net/ pyUSB] - a Python module for communicating with USB devices. Its download page is: You can get it from the [http://sourceforge.net/projects/pyusb/files/ download page] or [http://developer.berlios.de/project/showfiles.php?group_id=4354 another mirror]. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver. '''Important note''': If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended. To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual. '''Important note 2''': You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions ===Linux=== Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with: <pre> easy_install install pyusb </pre> Otherwise, you need to download it and install it manually as in the Windows instructions. To install libusb, you need to use your distribution's package management utility and look for libusb, then install it. ===Mac OS X=== (to be added later) ==Helpful pages== http://ipodlinux.org/wiki/Flash_Decryption http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ 4c6a9112536b908e6bc9bd043b392a23f744bb40 0 89 3315 3230 2010-11-24T00:15:58Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Cmwslw|Cmwslw]] wikitext text/x-wiki [[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]] [[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]] [[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]] == Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information. Knowing the location of some JTAG pins could be very helpful. There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post]. == Structure of the packaging == The chip is a 226-pin TFBGA with a pitch of 0.5mm. This is the structure of a BGA package: [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package] The chip is glued to a small double side PCB substrate. the electrical current passes through: *a pad of the chip die *a bonding wire *the top layer of the substrate *a via *the bottom layer *finally, the BGA ball The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout). In order to do this, we make an analysis of the bonding and PCB. == Packaging analysis == Following steps were made: *desoldering of the IC *removing of the balls and filler glue *X-ray picture *microscope picture of the bottom layer *removing the bottom layer and most of the substrate (by careful manual grinding) *microscope picture of the top layer *superposition of these views, and path finding from the die to the ball == Guessed pinout table == the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status. This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G HW analysis]] for further PCB analysis. ffdc2f5ed9288896ca60aaad5bce40d81d6b4422 0 201 3316 3229 2010-11-24T00:16:00Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:Cmwslw|Cmwslw]] wikitext text/x-wiki ==GNU ARM toolchain== Working with the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod. ===Obtaining=== The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path. ===Assembling=== <pre> arm-elf-as -o test.o test.asm arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o arm-elf-objcopy -O binary test.elf test.bin </pre> ===Disassembling=== <pre> arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm </pre> ==IDA Pro== ===Distributions=== ====IDA Pro 5.7 paid==== This is the best version if you can pay. One of the main advantages over its demo version is that you can save project files. ====IDA Pro 5.7 demo==== This is the best version if you don't want to pay. It can't save or open binary files, but there is a workaround to opening binaries. The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands: <pre> arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-elf-objcopy --set-section-flags .data=code dump.elf </pre> ====IDA Pro 4.9 freeware==== This version is tempting to download but useless since it doesn't support ARM. ===Usage=== [[Image:ida_config.png|thumb]] #To create a new disassembly database, go to File->New... #Select "Binary/Raw File" under the "Various files" tab #Select the binary file you want to examine #Click next. You don't need the analysis options #The processor you should select is "ARM processors: ARM". Click next #Click finish. Now you are asked about memory mapping. To the right is an example for the 4G bootrom. Fill out the info and press OK. #IDA will now create the project file. Sometimes it freezes but if it does just try these steps again. There should be two popups concerning thumb mode and your program's entry point. Press OK for both of them. #Go to 0x02000000 and press 'C'. This tells IDA that this is code. All the other code should appear now. #You are good to go. Happy analyzing! ==Helpful pages== http://chdk.wikia.com/wiki/GPL_Disassembling http://www.dwelch.com/ipod/ 31a78ed7e2c663d893fdae1861aced300daaa6cd 0 193 3317 3228 2010-11-24T00:16:01Z Farthen 28 Reverted edits by [[Special:Contributions/Owixyze|Owixyze]] ([[User talk:Owixyze|talk]]) to last revision by [[User:217.81.238.231|217.81.238.231]] wikitext text/x-wiki The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 5ba37dcbcb54683cbfca2ab26cf21c886911dfd1 2 282 3318 2010-11-24T20:36:11Z Orion 161 Created page with "Hi ! I'm french and I own an iPod Classic 1G 80Go. Available for testing (I don't mind loosing data, but won't tear apart my iPod), I can also help if you ever want to transla..." wikitext text/x-wiki Hi ! I'm french and I own an iPod Classic 1G 80Go. Available for testing (I don't mind loosing data, but won't tear apart my iPod), I can also help if you ever want to translate the wiki in french. 3e3bc3b56ffb6a74cd24abff9da8fa9faff66677 0 50 3319 3210 2010-11-25T15:36:46Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:Embios.jpg|115px|thumb|right|[[emBIOS]] on the 4G Nano]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} a7ba2d0f2ad59f5cab18a029d077ecdb439551e8 3344 3319 2010-12-20T19:28:04Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 55346b660305d21f1a392845ddb9d1b60e5e7240 3345 3344 2010-12-20T19:28:27Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 8823efa2fb386396d86182412b29524e858c6e8b 3363 3345 2011-01-04T00:13:50Z TheSeven 13 wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 792fa98915dbc82bcdbdac5cb68186ce49f16c63 0 267 3320 3312 2010-11-27T13:12:22Z Farthen 28 emBIOS is portable wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. emBIOS is designed with portability in mind. It should also be able to run on other devices like the BeagleBoard if someone would port the necessary drivers. If you're curious about how emBIOS works, you can browse it's SVN [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here]. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. Here are the basic steps to compiling emBIOS for your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver] * If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix. So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do: <code>CROSS=arm-elf-eabi- make ipodnano2g</code> ==Using== To communicate with emBIOS use the embios.py python script in the [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/trunk/tools/ /embios/trunk/tools] folder of our SVN. You need to have libusb, python and pyusb 1.x for this to work. Simply run embios,py without any arguments to get a list of possible commands. You can upload and download from/to the memory, read the i2c bus, run emBIOS applications or complete firmware files and much more. Just try it out! 5dbf3e3a086017ba8bea92846a3aaa5d65079269 3336 3320 2010-12-09T16:36:23Z Farthen 28 wikitext text/x-wiki [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS ('''em'''bedded '''BIOS''') is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. emBIOS is designed with portability in mind. It should also be able to run on other devices like the BeagleBoard if someone would port the necessary drivers. If you're curious about how emBIOS works, you can browse it's SVN [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here]. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. Here are the basic steps to compiling emBIOS for your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver] * If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix. So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do: <code>CROSS=arm-elf-eabi- make ipodnano2g</code> ==Using== To communicate with emBIOS use the embios.py python script in the [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/trunk/tools/ /embios/trunk/tools] folder of our SVN. You need to have libusb, python and pyusb 1.x for this to work. Simply run embios,py without any arguments to get a list of possible commands. You can upload and download from/to the memory, read the i2c bus, run emBIOS applications or complete firmware files and much more. Just try it out! 0ebdff5102b254007a3a0c18801218478cf3fe6d 0 283 3326 2010-11-29T12:03:06Z Yuriks 164 crappy memory map wikitext text/x-wiki {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0x2200 0000 - 0x2203 FFFF</tt> || On-chip SRAM || Always accessible |- | <tt>0x0A00 0000 - 0x0BFF FFFF</tt> || SDRAM Mirror 2 || Same contents as mirror 1 |- | <tt>0x0800 0000 - 0x09FF FFFF</tt> || SDRAM Mirror 1 || Needs initialization |- |} 50d2b9281138d082f883dac3eced576ae3e1f6f5 3327 3326 2010-11-29T12:06:25Z Yuriks 164 Added blank sections and reversed address ranges wikitext text/x-wiki {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0xFFFF FFFF - 0x2204 0000</tt> || || |- | <tt>0x2203 FFFF - 0x2200 0000</tt> || On-chip SRAM || Always accessible |- | <tt>0x0BFF FFFF - 0x0A00 0000</tt> || SDRAM Mirror 2 || Same contents as mirror 1 |- | <tt>0x09FF FFFF - 0x0800 0000</tt> || SDRAM Mirror 1 || Needs initialization |- | <tt>0x07FF FFFF - 0x0000 0000</tt> || || |- |} d7a7d4c7283cf706d6056881a2e86e23e9193edb 3328 3327 2010-11-29T12:22:38Z Yuriks 164 Some other stuff wikitext text/x-wiki {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0xFFFF FFFF - 0x2204 0000</tt> || || |- | <tt>0x2203 FFFF - 0x2200 0000</tt> || On-chip SRAM || Always accessible |- | <tt>0x21FF FFFF - 0x2000 C800</tt> || || |- | <tt>0x2000 C7FF - 0x2000 0000</tt> || Boot ROM || Executed by processor at start up |- | <tt>0x1FFF FFFF - 0x0C00 0000</tt> || || |- | <tt>0x0BFF FFFF - 0x0A00 0000</tt> || SDRAM Mirror 2 || Same contents as mirror 1 |- | <tt>0x09FF FFFF - 0x0800 0000</tt> || SDRAM Mirror 1 || Needs initialization |- | <tt>0x07FF FFFF - 0x0000 0000</tt> || || |- |} 2d75105fd1cce498a30368d64a9ac812b15a666f 3331 3328 2010-11-30T11:11:59Z Yuriks 164 wikitext text/x-wiki {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0xFFFF FFFF - 0x4000 0000</tt> || || |- | <tt>0x3FFF FFFF - 0x3800 0000</tt> || I/O Area || See table below |- | <tt>0x37FF FFFF - 0x2204 0000</tt> || || |- | <tt>0x2203 FFFF - 0x2200 0000</tt> || On-chip SRAM || Always accessible |- | <tt>0x21FF FFFF - 0x2000 C800</tt> || || |- | <tt>0x2000 C7FF - 0x2000 0000</tt> || Boot ROM || Executed by processor at start up |- | <tt>0x1FFF FFFF - 0x0C00 0000</tt> || || |- | <tt>0x0BFF FFFF - 0x0A00 0000</tt> || SDRAM Mirror 2 || Same contents as mirror 1 |- | <tt>0x09FF FFFF - 0x0800 0000</tt> || SDRAM Mirror 1 || Needs initialization |- | <tt>0x07FF FFFF - 0x0000 0000</tt> || || |- |} = IO Map = {| class="wikitable" |- ! Address !! Description !! Notes |- |} 94dec8d211e47703d80d479ef6f4ad726b7b23e5 3332 3331 2010-11-30T11:18:37Z Yuriks 164 wikitext text/x-wiki {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0xFFFF FFFF - 0x4000 0000</tt> || || |- | <tt>0x3FFF FFFF - 0x3800 0000</tt> || I/O Area || See table below |- | <tt>0x37FF FFFF - 0x2204 0000</tt> || || |- | <tt>0x2203 FFFF - 0x2200 0000</tt> || On-chip SRAM || Always accessible |- | <tt>0x21FF FFFF - 0x2000 C800</tt> || || |- | <tt>0x2000 C7FF - 0x2000 0000</tt> || Boot ROM || Executed by processor at start up |- | <tt>0x1FFF FFFF - 0x0C00 0000</tt> || || |- | <tt>0x0BFF FFFF - 0x0A00 0000</tt> || SDRAM Mirror 2 || Same contents as mirror 1 |- | <tt>0x09FF FFFF - 0x0800 0000</tt> || SDRAM Mirror 1 || Needs initialization |- | <tt>0x07FF FFFF - 0x0000 0000</tt> || || |- |} = IO Map = {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0x3C800000<br />0x3C800004</tt> || WDTCON<br />WDTCNT || Watchdog timer<ref name="datasheet" /> |- |} <references> <ref name="datasheet">See [[S5L8700 datasheet]]</ref> </references> 0cbe013955d67f39f9305f780f50f51d4ad441fc 0 121 3333 3227 2010-12-01T19:38:57Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''80GB model only'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> <ref name="lcdonly1tested">The code is complete, but was only tested on one of the LCD types that were used in this series yet.</ref> </references> 439580ba8c1eed2571f492df4fb944e85a374167 3355 3333 2010-12-23T23:29:07Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''80GB model only'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> <ref name="lcdonly1tested">The code is complete, but was only tested on one of the LCD types that were used in this series yet.</ref> </references> dec51952d3985094733523213dfc6fd552a42c76 3357 3355 2010-12-27T16:21:07Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> | <span style="color:grey">'''Partially untested'''<ref name="lcdonly1tested"/></span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''80GB model only'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> <ref name="lcdonly1tested">The code is complete, but was only tested on one of the LCD types that were used in this series yet.</ref> </references> f4ab85e4ade5885984b4aa56b058cf962fb5ff67 0 53 3334 3310 2010-12-07T17:24:24Z Farthen 28 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump of a nano 2g is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. To dump the firmware of any iPod classic or iPod nano from version 3 on you need to run own code on the device to be able to dump the flash with the firmware code on it. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| class="wikitable" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| class="wikitable" ! Filename !! Description |- | Firmware.MSE || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware http://www.trejan.com/projects/ipod/phobos.html#REGFIRMWARE ecb90243b91eb913a7a8cd8c8c0dc69f9e3723a6 0 54 3335 3307 2010-12-07T17:46:55Z Farthen 28 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G|"Nano" 6G]] |S5L8723 |? |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx 5712470a6a619954a0580da4aef1897f519d6224 3350 3335 2010-12-21T13:46:19Z Sinless 141 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G|"Nano" 6G]] |S5L8723 |? |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X51163PE] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx e0ceaa327fb10173274eef29f9ba18a3c48b7975 0 245 3337 3308 2010-12-12T13:30:28Z TheSeven 13 wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Terminology== By iPod classic 1g we mean the first iPod released by Apple that had the 'classic' name. It was available in sizes of 80GB and 160GB. ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | Cirrus | APPLE, 338S0394, A1GIO736, MAL | |- | 1 | Power manager | NXP PCF50635 | APPLE, 338S0445, 2114.102, ZPD7383Y | |- | 6 | USB charging | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html 009a32fa60da39d2455982c443e7247dd81d84b2 3 280 3338 3224 2010-12-17T14:48:53Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan,i will snap some photos of it.. Then where should i upload it? 164d49308df91977afcf5faad6996b58085135f4 3339 3338 2010-12-17T14:53:35Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] 822324460eb31faede4d8f7e242065e71d89e587 3340 3339 2010-12-17T15:00:58Z Benedikt93 145 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) 8efc156b871c7f0dbdd2da9d51c44329d278e9d9 3341 3340 2010-12-18T14:58:43Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) 1765b94527ecd1d46a6dd928f15815bd0fc9740a 3342 3341 2010-12-20T13:49:08Z TheSeven 13 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) 627c96fe2bda5880c293c470154d1e5851d3abef 3346 3342 2010-12-21T13:02:07Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) Just now I saw iloader has been port to classic 1g,is it really needed to get the pictures of the classic 3g's board? As a matter of fact,classic is too hard to teardown,and my classic's hdd still has 1.17GB that can be used -- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) 9f9083e67a0ed76a3c95aad3e8da2ce6e0b694ef 3347 3346 2010-12-21T13:27:29Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) 7c38f75725a5ca7432bcda3c6468272d5a33aa38 3348 3347 2010-12-21T13:39:15Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) e154527b21fe1cecbfcccb5c5dea2d0b5c5a51c3 3359 3348 2011-01-02T23:23:59Z ArthuruhtrA 166 /* Asked about IPL on the Nano 2G */ new section wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? 8665701267d3f1decedc373723f4a41df84ef9a5 3361 3359 2011-01-04T00:00:23Z TheSeven 13 /* Asked about IPL on the Nano 2G */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) 0f846517a3acda59333e26bca3ae24000928aff6 3367 3361 2011-01-04T01:32:40Z ArthuruhtrA 166 /* Asked about IPL on the Nano 2G */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. fab8d2b292e7f3b7cbf87deed652d4da6a8f64f4 3373 3367 2011-01-04T23:31:14Z ArthuruhtrA 166 /* Asked about IPL on the Nano 2G */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] e40001f31c48263b3fb3e502c25a908ea088b462 3375 3373 2011-01-05T07:23:59Z TheSeven 13 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) 8fa99b2ad83f1e33a3fdb615ea787e2c0ed3387a 3389 3375 2011-01-06T03:12:02Z ArthuruhtrA 166 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] 09d531b8729e889cd611b9815b0a279d86c1ce57 3415 3389 2011-01-07T13:13:19Z TheSeven 13 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) 7c3d6ddcf18983f72fb88df1a66ffca8950dcb96 6 284 3343 2010-12-20T19:27:19Z Farthen 28 iLoader on iPod classic wikitext text/x-wiki iLoader on iPod classic 7d0eb32c29aa6326a42824b70da6904415830b5d 6 285 3349 2010-12-21T13:41:50Z Sinless 141 front_3g wikitext text/x-wiki front_3g 6116a7852425a40a86409fecde4671d84d3ef36e 6 286 3351 2010-12-21T13:50:13Z Sinless 141 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 247 3352 3275 2010-12-21T13:51:54Z Sinless 141 wikitext text/x-wiki Here are 3g's broad..Although not clear. iPod classic MC293,160GB,sliver. [[File:http://www.freemyipod.org/w/images/thumb/c/c0/Front_3g.jpg/450px-Front_3g.jpg]] [[File:http://www.freemyipod.org/w/images/thumb/c/c6/Back_3g.jpg/450px-Back_3g.jpg]] CPU:337S3526 8702 N26P9U4 1011 ARM RAM:K4X51163PE PMU:APPLE 338S0445 78030 82 D780113 AUDIO:APPLE 338S0394 AICK0952 MAL USB CHARGER:4066T 84453 Notice:I can't find anything different with classic 2g's board(see pictures in 2g's hardware page).Apple's part number is 820-2437,also the same. ca421db3bacac799fb6e98be2c9d1a81a815fbfc 3353 3352 2010-12-21T14:38:00Z Sinless 141 wikitext text/x-wiki Here are 3g's broad..Although not clear. iPod classic MC293,160GB,sliver. [[Image:Front_3g.jpg|500px]] [[Image:Back_3g.jpg|500px]] CPU:337S3526 8702 N26P9U4 1011 ARM RAM:K4X51163PE PMU:APPLE 338S0445 78030 82 D780113 AUDIO:APPLE 338S0394 AICK0952 MAL USB CHARGER:4066T 84453 Notice:I can't find anything different with classic 2g's board(see pictures in 2g's hardware page).Apple's part number is 820-2437,also the same. 3b6d41aefc443f8ada181edfe05a5703b69cd787 3354 3353 2010-12-21T14:48:36Z Sinless 141 wikitext text/x-wiki Here are 3g's broad..Although not clear. iPod classic MC293,160GB,sliver. ==Photo== [[Image:Front_3g.jpg|500px]] [[Image:Back_3g.jpg|500px]] ==CPU== 337S3526 8702 N26P9U4 1011 ARM ==RAM== K4X51163PE ==PMU== APPLE 338S0445 78030 82 D780113 ==AUDIO== APPLE 338S0394 AICK0952 MAL ==CHARGER== 4066T 84453 ==NOTICE== I can't find anything different with classic 2g's board(see pictures in 2g's hardware page).Apple's part number is 820-2437,also the same. fb923508bf3b9e68a20c8fdb80c02a3fe474030f 3358 3354 2010-12-27T20:37:18Z Farthen 28 cleanup wikitext text/x-wiki [[Image:Front_3g.jpg|500px]] [[Image:Back_3g.jpg|500px]] iPod classic MC293, 160GB, silver No better teardown pictures of the Classic 3G have been found or made by us yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ a basic guide of the non-electronic differences] by iLounge. Since the model number is the same as the [[Classic 2G]], there probably aren't any worthwhile (if any) in the hardware. ==Terminology== By iPod classic 3g we mean the re-introduced 160GB version of the classic which was announced on September 9 2009. It is the same size as the [[Classic 2G]]. ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 |337S3526 8702 N26P9U4 1011 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | Cirrus | APPLE 338S0394 AICK0952 MAL | |- | 1 | Power manager | NXP PCF50635 | APPLE 338S0445 78030 82 D780113 | |- | 6 | USB charging | LTC4066 |4066T 84453 | |} 6c96ec9e64fc326d2bf03f76849eceae52f9ca71 0 276 3356 3309 2010-12-27T12:42:28Z Wolftail 138 /* Notes */ wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | | | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | | | Apple 338S0783-B1 10298HLS | Could be the Power Manager? Someone please confirm this. |- | <span style="color:#e8e838">Yellow</span> | | | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | CPU | Samsung S5L8723 | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source] |- | <span style="color:#cf5eea">Pink</span> | | | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.<br /> The red and black wires lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 Reviews: *http://arstechnica.com/apple/reviews/2010/09/6th-generation-ipod-nano.ars 71af717b9bb7c50dc44f2031fa0ba1b567e77c6f 0 122 3360 3299 2011-01-02T23:35:22Z ArthuruhtrA 166 Noted that the links are broken. wikitext text/x-wiki {{Outdated|reason=This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.}} The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the freemyipod team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z](broken link). You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z](also broken). Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] 5ece5db6db4bdd8e51f21ba57dbe6e09cdcea13f 6 289 3410 2011-01-06T20:38:28Z Windserfer 169 Rockbox alpha on ipod classic 6G wikitext text/x-wiki Rockbox alpha on ipod classic 6G 507f2c4b0d4b05903a490d376af9ecfeec2e5eaa 3 290 3418 2011-01-07T15:21:58Z TheSeven 13 Created page with "The picture you added to the iPod Classic installation braindump page doesn't look like the LCD driver is working right on your iPod. As this doesn't happen on my iPod, it would ..." wikitext text/x-wiki The picture you added to the iPod Classic installation braindump page doesn't look like the LCD driver is working right on your iPod. As this doesn't happen on my iPod, it would be nice if you could come over to our IRC channel to debug this. --[[User:TheSeven|TheSeven]] 15:21, 7 January 2011 (UTC) 0bcee37c0cacf53db0466dc0c6ebf484027fcf19 3 280 3420 3415 2011-01-07T15:49:47Z Sinless 141 /* Still can't recognized by UMSboot */ new section wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file.thanks 8b963a1a4ff688f1e23fd7acdc19bf989aaea08c 3421 3420 2011-01-07T15:52:15Z Sinless 141 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks 0c02b0ee72be1886edf10e726ea8cfb1d1b5b175 3424 3421 2011-01-07T15:59:36Z TheSeven 13 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) 28d84d803f2336a0708e33b41701c41cb0781937 3430 3424 2011-01-07T17:00:37Z Sinless 141 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: 1.put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device 2.install MICROSOFT WDK and reboot,still had the same problem. 3.add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. 4.open umsboot,show an error window,I know it is because the lack of .NET framework 5.install .NET 2.0,open ums again,it said no dfu device found. 6.reboot and try,filed. 7.still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English.. f03125a46bc255d26c6e967e0a67f498fc291beb 3431 3430 2011-01-07T17:03:15Z Sinless 141 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: 1.put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device 2.install MICROSOFT WDK and reboot,still had the same problem. 3.add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. 4.open umsboot,show an error window,I know it is because the lack of .NET framework 5.install .NET 2.0,open ums again,it said no dfu device found. 6.reboot and try,filed. 7.still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. 0dc264ec9a1117fbbe7b5a4f08690773094301cf 3432 3431 2011-01-07T17:18:46Z Sinless 141 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: 1.put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device 2.install MICROSOFT WDK and reboot,still had the same problem. 3.add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. 4.open umsboot,show an error window,I know it is because the lack of .NET framework 5.install .NET 2.0,open ums again,it said no dfu device found. 6.reboot and try,filed. 7.still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page f17567e2f7998c06cc2c5339c4eb4a310a0ea5b4 3436 3432 2011-01-07T17:57:40Z TheSeven 13 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) f01f29f02b73daa3c497ffae705706ab216dd7ae 3440 3436 2011-01-07T23:00:38Z Sinless 141 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot ==Sorry to trouble you but...First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfuI hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks:Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC)Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dllOf course,I put the two .dll files under the same floder with winusb.infThen,I can install the driver successful,but the new problem is UmsBOOT not recognized.Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details:* put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device* install MICROSOFT WDK and reboot,still had the same problem.* add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU.* open umsboot,show an error window,I know it is because the lack of .NET framework* install .NET 2.0,open ums again,it said no dfu device found.* reboot and try,filed.* still filed...And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:)And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8)this time i copied ID from your massage..And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page:The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead.:The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC)Did you mean that I should install Pyusb instead of Microsoft's wdk?But you once said PyUsb is for Linux users..And I also installed libusb.Which needed in iPhone jailbreak,But it didn't make a sense.En..Are there any difference between Pyusb and libusb?[[User:Sinless|Sinless]] 23:00, 7 January 2011 (UTC) 8985e1ddcafaa6faa0c7d9c785faa75722441a6e 3441 3440 2011-01-07T23:15:56Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010:I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it..Then where should i upload it? -- [[User:sinless]]:I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC)OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8):It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC)I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enoughNotice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8)== Asked about IPL on the Nano 2G ==When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]]:AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC)Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]]I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]]:I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC)If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]]:I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC)== Still can't recognized by UMSboot ==Sorry to trouble you but...First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfuI hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks:Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC)Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dllOf course,I put the two .dll files under the same floder with winusb.infThen,I can install the driver successful,but the new problem is UmsBOOT not recognized.Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details:* put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device* install MICROSOFT WDK and reboot,still had the same problem.* add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU.* open umsboot,show an error window,I know it is because the lack of .NET framework* install .NET 2.0,open ums again,it said no dfu device found.* reboot and try,filed.* still filed...And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:)And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8)this time i copied ID from your massage..And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page:The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead.:The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC)Did you mean that I should install Pyusb instead of Microsoft's wdk?But you once said PyUsb is for Linux users..And I also installed libusb.Which needed in iPhone jailbreak,But it didn't make a sense.En..is there any difference between Pyusb and libusb?My classic 3G uses a 32GB small PATA SSD(And I have enough room to install a nokia battery,Now it can play ~140hours),So does this influence umsboot's detection?--[[User:Sinless|Sinless]] 23:15, 7 January 2011 (UTC) d7ba628bcab3f4219f8dfa94a0d0cccab1882897 3443 3441 2011-01-08T01:27:41Z TheSeven 13 Undo revision 3441 by [[Special:Contributions/Sinless|Sinless]] ([[User talk:Sinless|talk]]) wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot ==Sorry to trouble you but...First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfuI hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks:Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC)Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dllOf course,I put the two .dll files under the same floder with winusb.infThen,I can install the driver successful,but the new problem is UmsBOOT not recognized.Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details:* put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device* install MICROSOFT WDK and reboot,still had the same problem.* add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU.* open umsboot,show an error window,I know it is because the lack of .NET framework* install .NET 2.0,open ums again,it said no dfu device found.* reboot and try,filed.* still filed...And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:)And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8)this time i copied ID from your massage..And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page:The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead.:The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC)Did you mean that I should install Pyusb instead of Microsoft's wdk?But you once said PyUsb is for Linux users..And I also installed libusb.Which needed in iPhone jailbreak,But it didn't make a sense.En..Are there any difference between Pyusb and libusb?[[User:Sinless|Sinless]] 23:00, 7 January 2011 (UTC) 8985e1ddcafaa6faa0c7d9c785faa75722441a6e 3444 3443 2011-01-08T01:28:09Z TheSeven 13 Undo revision 3440 by [[Special:Contributions/Sinless|Sinless]] ([[User talk:Sinless|talk]]) wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) f01f29f02b73daa3c497ffae705706ab216dd7ae 3453 3444 2011-01-08T12:17:57Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) 02ebf8d5d57039c8e8dcdfb0097df286ea4eee1e 3454 3453 2011-01-08T12:33:27Z Sinless 141 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll that install Winusb service,I can't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) a226c5ae12a551ad0ab10bf6fe4ad043970eb787 3456 3454 2011-01-08T12:46:54Z Sinless 141 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) f01f29f02b73daa3c497ffae705706ab216dd7ae 3457 3456 2011-01-08T12:48:07Z Sinless 141 /* SOLVED! Now please update the driver at once. */ new section wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) == SOLVED! Now please update the driver at once. == I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) 75b468b389a3b0b07f05d8e2c2523c06df7a2756 3459 3457 2011-01-08T13:11:04Z TheSeven 13 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) fad40f6070b4c11f40392e521f53a422a7cf949f 3464 3459 2011-01-08T13:25:59Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos fb96f8142811234dbe01d185c084c4acc3e44478 3468 3464 2011-01-08T13:35:28Z TheSeven 13 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. 98f2b607ce631bc1925d47af04b69beb3e0794cf 3469 3468 2011-01-08T13:35:43Z TheSeven 13 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) 9e141e79a21b6159224292fd71685fd8272b6914 3470 3469 2011-01-08T13:39:59Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. 56203d7f37402e210d7e5caa18413ebdca63457d 3472 3470 2011-01-08T13:42:08Z TheSeven 13 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? d35c031ebf8d3c794b50d61a66dc6831f6356969 3473 3472 2011-01-08T13:45:42Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? ::::::::Look at the picture,Maybe it's a type 3,have taken many classic,I saw at least 4 versions of screen. [[File:IMG_0014.jpg]] [[File:IMG_0013.jpg]] 669051ba422342b31b60f89ded587e0ee4656a47 3474 3473 2011-01-08T13:47:50Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? ::::::::Look at the picture,Maybe it's a type 3,have taken many classic,I saw at least 4 versions of screen. http://www.freemyipod.org/wiki/File:IMG_0014.jpg http://www.freemyipod.org/wiki/File:IMG_0013.jpg dfa430e36f671015b640aa567abce1fd46881618 3475 3474 2011-01-08T13:49:13Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? ::::::::Yes,Look at the picture,I took apart the screen.Maybe it's a type 3,have taken many classic,I saw at least 4 versions of screen. ::::::::http://www.freemyipod.org/wiki/File:IMG_0014.jpg ::::::::http://www.freemyipod.org/wiki/File:IMG_0013.jpg 306c24037a61e1f2ab8c4e9b2d21adaddcd87aa6 3476 3475 2011-01-08T13:59:24Z Sinless 141 /* Still can't recognized by UMSboot */ wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? ::::::::Yes,Look at the picture,I took apart the screen.Maybe it's a type 3,have taken many classic,I saw at least 4 versions of screen. ::::::::http://www.freemyipod.org/wiki/File:IMG_0014.jpg ::::::::http://www.freemyipod.org/wiki/File:IMG_0013.jpg ::::::::If you need to test new display driver..call me,and if it is possible,please make classic's rockbox can bass to 24db,I really miss that super bass on ipod mini.. ee1a2ad569a0fc0a48ac5b3d648d3d8ef54ad77b 3480 3476 2011-01-08T14:09:51Z TheSeven 13 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? ::::::::Yes,Look at the picture,I took apart the screen.Maybe it's a type 3,have taken many classic,I saw at least 4 versions of screen. ::::::::http://www.freemyipod.org/wiki/File:IMG_0014.jpg ::::::::http://www.freemyipod.org/wiki/File:IMG_0013.jpg ::::::::If you need to test new display driver..call me,and if it is possible,please make classic's rockbox can bass to 24db,I really miss that super bass on ipod mini.. :::::::::The tone controls are handled by hardware (to save processing power and thus battery power), and that can only handle up to +12dB. If you need more, you'll have to use a build which uses software-based tone controls instead. --[[User:TheSeven|TheSeven]] 14:09, 8 January 2011 (UTC) c4ed452cdb4b174d7014a30f2edce65be8381b8a 3481 3480 2011-01-08T14:21:37Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? ::::::::Yes,Look at the picture,I took apart the screen.Maybe it's a type 3,have taken many classic,I saw at least 4 versions of screen. ::::::::http://www.freemyipod.org/wiki/File:IMG_0014.jpg ::::::::http://www.freemyipod.org/wiki/File:IMG_0013.jpg ::::::::If you need to test new display driver..call me,and if it is possible,please make classic's rockbox can bass to 24db,I really miss that super bass on ipod mini.. :::::::::The tone controls are handled by hardware (to save processing power and thus battery power), and that can only handle up to +12dB. If you need more, you'll have to use a build which uses software-based tone controls instead. --[[User:TheSeven|TheSeven]] 14:09, 8 January 2011 (UTC) :::::::::Please login IRC,I'm waiting for you,to tell you someting about the screen 74497587cf4a0343677c98308c524f2db5ade408 3482 3481 2011-01-08T14:33:34Z Sinless 141 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? ::::::::Yes,Look at the picture,I took apart the screen.Maybe it's a type 3,have taken many classic,I saw at least 4 versions of screen. ::::::::http://www.freemyipod.org/wiki/File:IMG_0014.jpg ::::::::http://www.freemyipod.org/wiki/File:IMG_0013.jpg ::::::::If you need to test new display driver..call me,and if it is possible,please make classic's rockbox can bass to 24db,I really miss that super bass on ipod mini.. :::::::::The tone controls are handled by hardware (to save processing power and thus battery power), and that can only handle up to +12dB. If you need more, you'll have to use a build which uses software-based tone controls instead. --[[User:TheSeven|TheSeven]] 14:09, 8 January 2011 (UTC) :::::::::The problem LCD has a small tube looks like a rheostat on the wire.It is similiar to NANO2G's type 2 lcd,type1 lcd doesn't has a rheostat e03c9829f4103b9fdba87e74f4b4db5e7a01d1c4 3483 3482 2011-01-08T19:55:34Z Wolftail 138 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? ::::::::Yes,Look at the picture,I took apart the screen.Maybe it's a type 3,have taken many classic,I saw at least 4 versions of screen. ::::::::http://www.freemyipod.org/wiki/File:IMG_0014.jpg ::::::::http://www.freemyipod.org/wiki/File:IMG_0013.jpg ::::::::If you need to test new display driver..call me,and if it is possible,please make classic's rockbox can bass to 24db,I really miss that super bass on ipod mini.. :::::::::The tone controls are handled by hardware (to save processing power and thus battery power), and that can only handle up to +12dB. If you need more, you'll have to use a build which uses software-based tone controls instead. --[[User:TheSeven|TheSeven]] 14:09, 8 January 2011 (UTC) :::::::::The problem LCD has a small tube looks like a rheostat on the wire.It is similiar to NANO2G's type 2 lcd,type1 lcd doesn't has a rheostat == == 7f35e1bad4ce7675c7a4d1a3dc9710073217cf07 3487 3483 2011-01-08T21:40:02Z TheSeven 13 wikitext text/x-wiki is there any scope of finding vulnerabilities, being able to execute code through the nike+ ipod kits? as in control the alter the sensor to send modified data to the ipod through the kit? i guess we havent already tried that. -- [[User:Psgarcha92]], 19:29, 21 November 2010 :I don't the sensor will ever send data that's complex enough for the parser to have an exploitable bug. --[[User:TheSeven|TheSeven]] 18:22, 22 November 2010 (UTC) Hello.my classic 3g's HDD just broke,as no one provide classic 3g's PCB scan yet,if l4n need this,i will snap some photos of it.. Then where should i upload it? -- [[User:sinless]] :I think you should upload them here [http://www.freemyipod.org/wiki/Special:Upload] and then add them to the Classic 3G page. --[[User:Benedikt93|Benedikt93]] 15:00, 17 December 2010 (UTC) OK.I will take apart it soon,and does anybody know can classic work with a ssd? -- [[User:sinless]] 23:00, 17 December 2010 (GMT+8) :It should be able to handle pretty much everything that's PATA or CE-ATA, and the OF also supports LBA48. --[[User:TheSeven|TheSeven]] 13:49, 20 December 2010 (UTC) I just took apart my classic 3g,but the only camera I can use is Nokia 5310..the pictures are not clear enough Notice that my classic(MC293,160GB,firmware 2.o.4)'s motherboard is the same to the 2g classic board in hardware page,Apple's mark is the same 820-2437-- [[User:sinless]] 21:00, 21 December 2010 (GMT+8) == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == Still can't recognized by UMSboot == Sorry to trouble you but... First,the INF file has some error..After I mod the driver(follow microsoft's WDK guide),it finally installed,but UMS can't recognized classic,windows recognized it as a freemyipod.org ipod nano3/classic dfu I hope you provide us a one-click install tool or just fix the inf file,or just tell us what other software is needed,I have installed .NET 2.0 and WDK.thanks :Which changes to the inf file were needed? Did you change anything else besides the CoInstallers? Did you change one of the GUIDs? The DFU tool uses the GUID, VID and PID to recognize the device. If one of those doesn't match, it won't work. --[[User:TheSeven|TheSeven]] 15:59, 7 January 2011 (UTC) Compared to microsoft's example file,i think your inf lost these lines,and filled them after dev_addreg like this [Dev_AddReg] HKR,,DeviceInterfaceGUIDs,0x10000,"{2084a03c-04b1-4acc-9236-69fe2e7d5770}" [USB_Install.CoInstallers] AddReg=CoInstallers_AddReg CopyFiles=CoInstallers_CopyFiles [CoInstallers_AddReg] HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01009.dll,WdfCoInstaller","WinUSBCoInstaller2.dll" [CoInstallers_CopyFiles] WinUSBCoInstaller2.dll WdfCoInstaller01009.dll Of course,I put the two .dll files under the same floder with winusb.inf Then,I can install the driver successful,but the new problem is UmsBOOT not recognized. Addition:I have just reinstall WINXP,and directly install winusb without itunes.here are the details: * put classic 3g into DFU,and connected it to computer,windows recognized a usb dfu device,i force windows to install winusb.inf,windows said installed driver filed,some lines may missing or error,with a error code 28. After that, the hardware name was freemyipod.org-usb dfu device * install MICROSOFT WDK and reboot,still had the same problem. * add that lines to winusb.inf and copy the two dll files,reinstall the driver,then succeed.the new hardware name is iPod Classic/Nano 3G Bootrom DFU. * open umsboot,show an error window,I know it is because the lack of .NET framework * install .NET 2.0,open ums again,it said no dfu device found. * reboot and try,filed. * still filed... And I have some small questions about the wiki...how to show my ID at the last of the words i say,and,where can i find file/picture upload link...In my country no one uses wiki pages like this,sorry:) And sorry for my poor English..--[[User:Sinless|Sinless]] 01:02, 8 January 2011 (GMT+8) this time i copied ID from your massage.. And here is the "driver" i made,if it can help http://down.qiannao.com/space/file/qiannao/share/2011/1/8/iPodClassicWindowsInstaller.rar/.page :The changes look good, I can't see why that shouldn't work. If the first installation try failed because of the coinstallers, there might have been some leftovers. Uninstall the device completely, choose yes if windows asks you if you want to remove the driver. Then try installing the modified one directly. Other than that, I'm pretty much out of ideas. You might want to go the Python/PyUSB/libusb-win32 route instead. :The wiki editor will replace a sequence of four ~ signs with your signature. The upload link is hiding in the toolbox on the left side. --[[User:TheSeven|TheSeven]] 17:57, 7 January 2011 (UTC) ::I finally got it worked!the problem was umsboot need microsoft .net framework 3.5,it seemd that .net 2.0 not support USB. And you should update the winusb driver,surely your driver lack that two dll files that install Winusb service,I couldn't upload a .rar file.--[[User:Sinless|Sinless]] 12:17, 8 January 2011 (UTC) :::Interesting... I actually compiled it for .NET 4.0, but it seemed to work on 2.0 as well. I should probaby make another zip file with all the things needed by XP. --[[User:TheSeven|TheSeven]] 13:11, 8 January 2011 (UTC) ::::Yes,.net 2.0 can open umsboot but it can't work.XP need that two dll,I met the display problem,LCD=2,I just upload the photo and with LCD take apart and write the LCD SN.Hopefully you can make use of the photos :::::The type 2 LCD of my 3G classic works fine within iLoader at least. --[[User:TheSeven|TheSeven]] 13:35, 8 January 2011 (UTC) ::::::maybe it has several versions,I just tested on my friend's classic 1g 80g,also has the problem. :::::::Is the problem you're experiencing similar to the photo on the wiki page? ::::::::Yes,Look at the picture,I took apart the screen.Maybe it's a type 3,have taken many classic,I saw at least 4 versions of screen. ::::::::http://www.freemyipod.org/wiki/File:IMG_0014.jpg ::::::::http://www.freemyipod.org/wiki/File:IMG_0013.jpg ::::::::If you need to test new display driver..call me,and if it is possible,please make classic's rockbox can bass to 24db,I really miss that super bass on ipod mini.. :::::::::The tone controls are handled by hardware (to save processing power and thus battery power), and that can only handle up to +12dB. If you need more, you'll have to use a build which uses software-based tone controls instead. --[[User:TheSeven|TheSeven]] 14:09, 8 January 2011 (UTC) :::::::::The problem LCD has a small tube looks like a rheostat on the wire.It is similiar to NANO2G's type 2 lcd,type1 lcd doesn't has a rheostat e03c9829f4103b9fdba87e74f4b4db5e7a01d1c4 3533 3487 2011-01-09T18:49:04Z TheSeven 13 wikitext text/x-wiki == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) 859220f2fbb980a7a0a9f8ae30b4d98db2a90753 6 291 3422 2011-01-07T15:54:53Z TheSeven 13 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 3 290 3426 3418 2011-01-07T16:34:26Z Windserfer 169 wikitext text/x-wiki The picture you added to the iPod Classic installation braindump page doesn't look like the LCD driver is working right on your iPod. As this doesn't happen on my iPod, it would be nice if you could come over to our IRC channel to debug this. --[[User:TheSeven|TheSeven]] 15:21, 7 January 2011 (UTC) yes i thought it was so because of the early stage! right now I've have no time, but tomorrow I surelly will! 3b8c134c1f59d429784bb5cc8b78866bfcd79b68 0 50 3446 3363 2011-01-08T01:35:20Z TheSeven 13 wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 94a52c85d3bc4f4dc0f582e0e12db3b7de3f9366 3546 3446 2011-01-10T16:16:00Z Farthen 28 /* Project info */ wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 4c0d864abbcb4b6add23092b6bbbe901e2833965 6 292 3461 2011-01-08T13:16:41Z Sinless 141 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 293 3462 2011-01-08T13:18:54Z Sinless 141 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 259 3477 3211 2011-01-08T14:00:07Z TheSeven 13 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod === This channel is for anything related to the project. This may be development related, but can also be a simple question to something. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod]. (Web client [http://webchat.freenode.net/?channels=freemyipod here]) === #freemyipod-support === This is our support channel. If you have questions or problems concerning our software, this is the place to ask. You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support]. (Web client [http://webchat.freenode.net/?channels=freemyipod-support here]) === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter]. (Web client [http://webchat.freenode.net/?channels=freemyipod-chatter here]) == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. 6b3830519bf230c7cd75d3907a758bd6aa384f3f 3478 3477 2011-01-08T14:00:42Z TheSeven 13 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod === This channel is for anything related to the project. This may be development related, but can also be a simple question to something. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod]. (Web client [http://webchat.freenode.net/?channels=freemyipod here]) === #freemyipod-support === This is our support channel. If you have questions or problems concerning our software, this is the place to ask. You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support]. (Web client [http://webchat.freenode.net/?channels=freemyipod-support here]) === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter]. (Web client [http://webchat.freenode.net/?channels=freemyipod-chatter here]) == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. 5ad304000ed3f0cc56b0b0d4005c008c980b4b77 3479 3478 2011-01-08T14:01:02Z TheSeven 13 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod === This channel is for anything related to the project. This may be development related, but can also be a simple question to something. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod]. (Web client [http://webchat.freenode.net/?channels=freemyipod here]) === #freemyipod-support === This is our support channel. If you have questions or problems concerning our software, this is the place to ask. You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support]. (Web client [http://webchat.freenode.net/?channels=freemyipod-support here]) === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter]. (Web client [http://webchat.freenode.net/?channels=freemyipod-chatter here]) == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. 8a87f9206787be1aad1a1473e0bb7e2edd6d9fa2 8 260 3488 3169 2011-01-08T21:41:37Z TheSeven 13 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Software ** iLoader|iLoader ** iBugger|iBugger ** emBIOS|emBIOS * Basic skills ** Working with binaries|Working with binaries ** Dumping firmware|Dumping firmware ** Extracting firmware|Extracting firmware * Reverse engineering Results ** Firmware|Firmware ** Bootstrapping sequence|Bootstrapping sequence ** Firmware decryption|Firmware decryption ** GUID table|GUID Table ** Nano 2G *** Nano 2G Clock Gates|Nano 2G Clock Gates *** Nano2G LCD init|Nano2G LCD init *** Nano2G FTL|Nano2G FTL ** Nano 4G *** Nano4G firmware upgrade process|Nano4G firmware upgrade process * Exploiting ** Pwnage 2.0|Pwnage 2.0 ** Notes vulnerability|Notes vulnerability * Hardware ** Hardware|Hardware ** Chronology|Chronology ** S5L8700 datasheet|S5L8700 datasheet * Other Guides ** MPEG movies|MPEG movies ** Modes|Modes * TOOLBOX * LANGUAGES a618cb92e822686708b0fa7849b14d4923a47ce1 0 52 3534 3313 2011-01-09T20:28:50Z User890104 124 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with invalid code. ===Getting DFU mode on 3G/4G=== # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU |- | Nano 2G | 1260 | 1220 |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | 1261 | 1223 |- | Classic 2G | ? | ? |- | Classic 3G | 1261 | 1223 |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 1770fdfa698ddafa9b1748539b7c64932acfecef 3538 3534 2011-01-09T22:05:39Z TheSeven 13 /* DFU mode */ wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. ===Getting DFU mode on iPod Classic, Nano 3G and newer === # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU |- | Nano 2G | 1260 | 1220 |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | 1261 | 1223 |- | Classic 2G | 1261 | 1223 |- | Classic 3G | 1261 | 1223 |} Please replace the question marks if you can. ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 9ba5eca164823c0a37ccc7756777043b76e201c2 3539 3538 2011-01-09T22:05:52Z TheSeven 13 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. ===Getting DFU mode on iPod Classic, Nano 3G and newer === # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU |- | Nano 2G | 1260 | 1220 |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Classic 1G | 1261 | 1223 |- | Classic 2G | 1261 | 1223 |- | Classic 3G | 1261 | 1223 |} ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf dd94b4e64a038b617ee165fb109d2be6a1196097 0 295 3537 2011-01-09T22:02:44Z User890104 124 Created page with "Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the ..." wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==Nano 2G== After installing or updating iLoader, your iPod may not complete the flashing process successfully. This will lead to a unfinished instalation which does not work as expected. To recover your device you will need some Python scripts from the SVN, a Python interpreter, pyUSB and a driver (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/embios/trunk/tools/ this folder]. ===Recovery mode=== Sometimes iLoader may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter emBIOS Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre> emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB </pre> ====Uploading an emBIOS binary==== You will need a known-working emBIOS build, you can use one that you have built yourself, grab the latest from [http://builds.freemyipod.org/ the build server] (not recommended because they aren't tested), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python embiosldr.py run embios-ipodnano2g.bin</pre> You should see this text in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading embios-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done </pre> Then, you will (hopefully) see an emBIOS console on your iPod's screen. It will say somethins similar to this: <pre>emBIOS vX.X.X rXXX Waiting for USB commands</pre> ====Uploading an installer==== After that, you need an installer binary. You can get the official version from [http://theseven.freemyipod.org/iloader/installation.php TheSeven's Installation page] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python embios.py runfirmware 08000000 installer.bin</pre> You should see something similar to that in your terminal window: <pre>Connected to emBIOS Debugger vX.X.X rXXX running on iPod nano 2g Writing file 'installer-XXXXXXXX.bin' to memory at 0x8000000...done Running firmware at 0x8000000. Bye.</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your iLoader installation. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an emBIOS Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains emBIOS Loader. You can build one yourself, or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, turn your iPod's HOLD switch on and enter the following command: <pre>python ipoddfu.py embiosldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell, if you are on Windows, you may need to run it in an administrator command prompt) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in emBIOS Loader's recovery mode. Procees with the instructions from the previous section starting with "Uploading an emBIOS binary", in order to recover your iLoader installation. 926b5ee0baa4ac111b55b9087bf0999ed1106302 3541 3537 2011-01-09T22:13:56Z TheSeven 13 /* Nano 2G */ wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==Nano 2G== After installing or updating iLoader, your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from the SVN, a Python interpreter, pyUSB and a driver (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/embios/trunk/tools/ this folder]. ===Recovery mode=== Sometimes iLoader may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter emBIOS Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre> emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB </pre> At that point you can either run an emBIOS build directly to manually fix the problem, or reinstall iLoader, in case the problem was caused by a failed update. ====Uploading an installer==== After that, you need an installer binary. You can get the official version from [http://theseven.freemyipod.org/iloader/installation.php TheSeven's Installation page] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python embios.py runfirmware 08000000 installer.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emBIOS Debugger vX.X.X rXXX running on iPod nano 2g Writing file 'installer-XXXXXXXX.bin' to memory at 0x8000000...done Running firmware at 0x8000000. Bye.</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your iLoader installation. ====Uploading an emBIOS binary==== You will need a known-working emBIOS build, you can use one that you have built yourself, grab the latest from [http://builds.freemyipod.org/ the build server] (not recommended because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python embiosldr.py run embios-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading embios-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done </pre> Then, you will (hopefully) see an emBIOS console on your iPod's screen. It will say somethins similar to this: <pre>emBIOS vX.X.X rXXX Waiting for USB commands</pre> ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an emBIOS Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains emBIOS Loader. You can build one yourself (but only if you have access to a working Nano2G), or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, turn your iPod's HOLD switch on and enter the following command: <pre>python ipoddfu.py embiosldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in emBIOS Loader's recovery mode. Proceed with the instructions from the previous sections in order to recover your iLoader installation. 8ae157cdf657cbc4aaf803eadbb1c96c9cc0c335 3542 3541 2011-01-10T12:29:06Z User890104 124 wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==Nano 2G== After installing or updating iLoader, your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from the SVN, a Python interpreter, pyUSB and a driver (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/embios/trunk/tools/ this folder]. ===Recovery mode=== Sometimes iLoader may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter emBIOS Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an emBIOS build directly to manually fix the problem, or reinstall iLoader, in case the problem was caused by a failed update. ====Uploading an installer==== After that, you need an installer binary. You can get the official version from [http://theseven.freemyipod.org/iloader/installation.php TheSeven's Installation page] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python embiosldr.py run installer-*.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your iLoader installation. ====Uploading an emBIOS binary==== You will need a known-working emBIOS build, you can use one that you have built yourself, grab the latest from [http://builds.freemyipod.org/ the build server] (not recommended because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python embiosldr.py run embios-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading embios-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an emBIOS console on your iPod's screen. It will say somethins similar to this: <pre>emBIOS vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the embios.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an emBIOS Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains emBIOS Loader. You can build one yourself (but only if you have access to a working Nano2G), or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, turn your iPod's HOLD switch on and enter the following command: <pre>python ipoddfu.py embiosldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in emBIOS Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> You can proceed with the instructions from the previous sections ([[#Uploading_an_installer|Uploading an installer]] or [[#Uploading_an_emBIOS_binary|Uploading an emBIOS binary]]) in order to recover your iLoader installation. 7747a2eac9fccf3ecfe38b72f792dd139eb542d9 3543 3542 2011-01-10T12:29:58Z User890104 124 wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==Nano 2G== After installing or updating iLoader, your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from the SVN, a Python interpreter, pyUSB and a driver (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/embios/trunk/tools/ this folder]. ===Recovery mode=== Sometimes iLoader may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter emBIOS Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an emBIOS build directly to manually fix the problem, or reinstall iLoader, in case the problem was caused by a failed update. ====Uploading an installer==== After that, you need an installer binary. You can get the official version from [http://theseven.freemyipod.org/iloader/installation.php TheSeven's Installation page] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python embiosldr.py run installer-*.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your iLoader installation. ====Uploading an emBIOS binary==== You will need a known-working emBIOS build, you can use one that you have built yourself, grab the latest from [http://builds.freemyipod.org/ the build server] (not recommended because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python embiosldr.py run embios-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading embios-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an emBIOS console on your iPod's screen. It will say somethins similar to this: <pre>emBIOS vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the embios.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an emBIOS Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains emBIOS Loader. You can build one yourself (but only if you have access to a working Nano2G), or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, turn your iPod's HOLD switch on and enter the following command: <pre>python ipoddfu.py embiosldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in emBIOS Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> You can proceed with the instructions from the previous sections ([[#Uploading_an_installer]] or [[#Uploading_an_emBIOS_binary]]) in order to recover your iLoader installation. ed2dc4222d7d9654c1397cbfab3f9d630660144b 3544 3543 2011-01-10T12:32:46Z User890104 124 Undo revision 3543 by [[Special:Contributions/User890104|User890104]] ([[User talk:User890104|talk]]) wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==Nano 2G== After installing or updating iLoader, your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from the SVN, a Python interpreter, pyUSB and a driver (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/embios/trunk/tools/ this folder]. ===Recovery mode=== Sometimes iLoader may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter emBIOS Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an emBIOS build directly to manually fix the problem, or reinstall iLoader, in case the problem was caused by a failed update. ====Uploading an installer==== After that, you need an installer binary. You can get the official version from [http://theseven.freemyipod.org/iloader/installation.php TheSeven's Installation page] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python embiosldr.py run installer-*.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your iLoader installation. ====Uploading an emBIOS binary==== You will need a known-working emBIOS build, you can use one that you have built yourself, grab the latest from [http://builds.freemyipod.org/ the build server] (not recommended because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python embiosldr.py run embios-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading embios-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an emBIOS console on your iPod's screen. It will say somethins similar to this: <pre>emBIOS vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the embios.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an emBIOS Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains emBIOS Loader. You can build one yourself (but only if you have access to a working Nano2G), or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, turn your iPod's HOLD switch on and enter the following command: <pre>python ipoddfu.py embiosldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in emBIOS Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> You can proceed with the instructions from the previous sections ([[#Uploading_an_installer|Uploading an installer]] or [[#Uploading_an_emBIOS_binary|Uploading an emBIOS binary]]) in order to recover your iLoader installation. 7747a2eac9fccf3ecfe38b72f792dd139eb542d9 0 296 3545 2011-01-10T16:04:59Z Farthen 28 First draft wikitext text/x-wiki To compile our code and to use our Python scripts that communicate with software running on the target like emBIOS you need some tools: <!-- TODO: Compiler toolchain for ARM cross compiling --> == Python Scripts == To use our Python scripts that communicate with the target via USB you need the following tools: * [http://www.libusb.org/wiki/libusb-1.0 LibUSB v1.x] * [http://www.python.org/download/ A Python version of 2.6 or higher]. Python 3 is '''not''' tested yet and will probably not work. * [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ PyUSB v1.x] <!-- TODO: Installation instructions --> bc38a982e08c758f8eb7e07d5943aec665f5a738 0 50 3547 3546 2011-01-10T16:25:43Z Farthen 28 /* Basic skills */ wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Bootstrapping sequence]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 6a5f7a8df80595b5fc85cbab08f5c55a07357c7c 3573 3547 2011-01-11T20:39:35Z TheSeven 13 wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} ec213655f46706276fce1886edb71e815a69c9ca 3590 3573 2011-01-14T14:47:27Z Farthen 28 /* Basic skills */ wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} cd81f0c195552bbd147ab5f333f82f30dec7bacb 3683 3590 2011-02-04T18:51:15Z Farthen 28 /* Released Software */ wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] * [[emCORE]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 000582e6e1f696ab1cdbf693f9747092cc916925 3787 3683 2011-03-25T17:18:59Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] * [[emCORE]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} b486020d3762fc4dd6cb2c0e8b06bd511f64071a 3788 3787 2011-03-25T17:19:29Z Farthen 28 /* Released Software */ wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Updates== *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emCORE]] ** [[emCORE Monitor Protocol]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 4c6f65b4741a332982bfb85c3529abd9cbf92ff7 0 243 3548 3282 2011-01-10T16:33:05Z Farthen 28 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Executing Code== As of now the only way to execute code on the nano 4g is through the [[Notes vulnerability]] and with [[Pwnage 2.0]]. As we don't know yet how to initialize the SDRAM on the nano 4g the only useful method is by using the Notes vulnerability. The only working note at the moment is an [[IBugger | iBugger loader]]. '''Attention''': The Notes vulnerability was patched in the v1.0.4 firmware update of the nano 4g. You need to [[Firmware_downgrading | downgrade to v1.0.3]] to still use the Notes vulnerability. To run iBugger loader download the [http://files.freemyipod.org/targets/iPod%20nano%204g/n4g_ibugger_libusb1.zip nano 4g iBugger package]. To use the scripts in there you need a working [[Toolchain#Python_Scripts | Python Toolchain]] Simply put the "n4g-ibugger.bootnote" in the "Notes" directory of your iPod and safely remove it. A Mandelbrot set should be displayed on the screen with some text stating it is Unified iBugger loader v0.1.1 running on Nano 4G. To run [[emBIOS]] (which is most certainly what you want) run these commands: python ibugger.py upload 08000000 embios-ipodnano4g-rXYZ.bin python ibugger.py execute 08000000 0a000000 You can then use the emBIOS tools to communicate with emBIOS ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 683bf44ce014fbbf300574491b5f67e58d1658b3 3 290 3549 3426 2011-01-10T17:58:58Z Windserfer 169 wikitext text/x-wiki The picture you added to the iPod Classic installation braindump page doesn't look like the LCD driver is working right on your iPod. As this doesn't happen on my iPod, it would be nice if you could come over to our IRC channel to debug this. --[[User:TheSeven|TheSeven]] 15:21, 7 January 2011 (UTC) yes i thought it was so because of the early stage! right now I've have no time, but tomorrow I surelly will! Hi, i know i'm annoying but could u link me to the irc? I want to debug this and see why the new version of iloader doesn't work (the ubi file stops at "booting..." --[[User:Windserfer|Windserfer]] 17:58, 10 January 2011 (UTC)) 35bfb99644ac5b6cfb2ec54cc265fc46ef5885c2 3572 3549 2011-01-11T20:39:16Z Benedikt93 145 wikitext text/x-wiki The picture you added to the iPod Classic installation braindump page doesn't look like the LCD driver is working right on your iPod. As this doesn't happen on my iPod, it would be nice if you could come over to our IRC channel to debug this. --[[User:TheSeven|TheSeven]] 15:21, 7 January 2011 (UTC) :yes i thought it was so because of the early stage! right now I've have no time, but tomorrow I surelly will! Hi, i know i'm annoying but could u link me to the irc? I want to debug this and see why the new version of iloader doesn't work (the ubi file stops at "booting..." --[[User:Windserfer|Windserfer]] 17:58, 10 January 2011 (UTC)) :You'll find more info about them and links to a webchat at the [[Contact]] page. --[[User:Benedikt93|Benedikt93]] 20:39, 11 January 2011 (UTC) 928fcfad91633bce6125562d027b41961c8ae4ec 3587 3572 2011-01-13T21:33:57Z Windserfer 169 wikitext text/x-wiki The picture you added to the iPod Classic installation braindump page doesn't look like the LCD driver is working right on your iPod. As this doesn't happen on my iPod, it would be nice if you could come over to our IRC channel to debug this. --[[User:TheSeven|TheSeven]] 15:21, 7 January 2011 (UTC) :yes i thought it was so because of the early stage! right now I've have no time, but tomorrow I surelly will! Hi, i know i'm annoying but could u link me to the irc? I want to debug this and see why the new version of iloader doesn't work (the ubi file stops at "booting..." --[[User:Windserfer|Windserfer]] 17:58, 10 January 2011 (UTC)) :You'll find more info about them and links to a webchat at the [[Contact]] page. --[[User:Benedikt93|Benedikt93]] 20:39, 11 January 2011 (UTC) HI everybody! just to let you know i solved the screen problem and rockbox is running flawlessly!!! 0d90693f3f99a6f7f6df4a39f1c0d1db805ab6f7 8 260 3574 3488 2011-01-11T20:39:51Z TheSeven 13 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Software ** iLoader|iLoader ** iBugger|iBugger ** emBIOS|emBIOS * Basic skills ** Working with binaries|Working with binaries ** Dumping firmware|Dumping firmware ** Extracting firmware|Extracting firmware * Reverse engineering Results ** Firmware|Firmware ** Firmware decryption|Firmware decryption ** GUID table|GUID Table ** Nano 2G *** Nano 2G Clock Gates|Nano 2G Clock Gates *** Nano2G LCD init|Nano2G LCD init *** Nano2G FTL|Nano2G FTL ** Nano 4G *** Nano4G firmware upgrade process|Nano4G firmware upgrade process * Exploiting ** Pwnage 2.0|Pwnage 2.0 ** Notes vulnerability|Notes vulnerability * Hardware ** Hardware|Hardware ** Chronology|Chronology ** S5L8700 datasheet|S5L8700 datasheet * Other Guides ** MPEG movies|MPEG movies ** Modes|Modes * TOOLBOX * LANGUAGES bc6955e80b22f3e3fe55b2a5d3483c578c156e4a 0 295 3589 3544 2011-01-14T14:05:13Z User890104 124 wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==Nano 2G== After installing or updating iLoader, your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from the SVN, a Python interpreter, pyUSB and a driver (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/embios/trunk/tools/ this folder]. ===Recovery mode=== Sometimes iLoader may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter emBIOS Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an emBIOS build directly to manually fix the problem, or reinstall iLoader, in case the problem was caused by a failed update. ====Uploading an installer==== After that, you need an installer binary. You can get the official version from [http://theseven.freemyipod.org/iloader/installation.php TheSeven's Installation page] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python embiosldr.py run installer-*.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your iLoader installation. ====Uploading an emBIOS binary==== You will need a known-working emBIOS build, you can use one that you have built yourself, grab the latest from [http://builds.freemyipod.org/ the build server] by selecting the "bin" link for the device you need (not recommended because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python embiosldr.py run embios-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emBIOS Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading embios-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an emBIOS console on your iPod's screen. It will say somethins similar to this: <pre>emBIOS vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the embios.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an emBIOS Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains emBIOS Loader. You can build one yourself (but only if you have access to a working Nano2G), or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, turn your iPod's HOLD switch on and enter the following command: <pre>python ipoddfu.py embiosldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in emBIOS Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emBIOS Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> You can proceed with the instructions from the previous sections ([[#Uploading_an_installer|Uploading an installer]] or [[#Uploading_an_emBIOS_binary|Uploading an emBIOS binary]]) in order to recover your iLoader installation. 2e484de48e09638c57788b148a872d223752e8bf 0 297 3597 2011-01-16T20:36:27Z Farthen 28 Created page with "This article describes the USB communcation protocol of emCORE monitor. == Endpoints == The emCORE Monitor interface contains 4 bulk endpoints, in the following order: * Comma..." wikitext text/x-wiki This article describes the USB communcation protocol of emCORE monitor. == Endpoints == The emCORE Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 2 || emCORE Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emCORE itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emCORE executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 562123a7babb2fbdbd727f5b3b3af507a34f1452 0 298 3609 2011-01-21T21:49:33Z TheSeven 13 Created page with "{| class="wikitable prettytable sortable" |+ This is a list of all library identifiers that were registered so far. Please avoid collisions! |- ! Identifier !! Library !! Owner |..." wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all library identifiers that were registered so far. Please avoid collisions! |- ! Identifier !! Library !! Owner |- | 0x54534554 || Reserved for testing purposes, do not ever let this escape into the wild! || freemyipod.org |- | 0x49554365 || emCORE User Interface Library || freemyipod.org |- | 0x4c424365 || emCORE Booting Library || freemyipod.org |- |} 44f0479e82972426b6da4c159af2995c333adf59 3615 3609 2011-01-23T10:41:43Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all library identifiers that were registered so far. Please avoid collisions! |- ! Identifier !! Library !! Owner |- | 0x54534554 || Reserved for testing purposes, do not ever let this escape into the wild! || freemyipod.org |- | 0x49554365 || emCORE User Interface Library || freemyipod.org |- | 0x4c424365 || emCORE Booting Library || freemyipod.org |- | 0x64474e50 || emCORE PNG decoder library || freemyipod.org |- |} 03685d8d4d3a30b02ce8a99916ed2ae0dddd1d3f 3785 3615 2011-03-23T22:42:00Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all library identifiers that were registered so far. Please avoid collisions! |- ! Identifier !! Library !! Owner |- | 0x54534554 || Reserved for testing purposes, do not ever let this escape into the wild! || freemyipod.org |- | 0x49554365 || emCORE User Interface Library || freemyipod.org |- | 0x4c424365 || emCORE Booting Library || freemyipod.org |- | 0x64474e50 || emCORE PNG decoder library || freemyipod.org |- | 0x3233464d || mkfat32 library || freemyipod.org |} 7921f9d0faa1ecda886a36ba0a315989f92a7902 3 280 3661 3533 2011-01-27T04:47:48Z ArthuruhtrA 166 /* spoke of spam */ new section wikitext text/x-wiki == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == spoke of spam == We are having a lot of orphaned spam pages being generated. As I do not have the right to delete the pages, I have emptied their contents. The easiest way to find them is to go to the orphaned pages page, and look at the obvious spam. I would like the right to delete them, however your knowing of them is sufficient. 4ebaee512955463bcd5649efc6a85eccdd056d30 3674 3661 2011-01-27T14:08:07Z TheSeven 13 wikitext text/x-wiki == Asked about IPL on the Nano 2G == When will I be able to use ipl on my Nano 2g? I assume it needs to be ported, but I don't know how to do so. Is there someone working on that? --[[User:ArthuruhtrA|ArthuruhtrA]] :AFAIK no --[[User:TheSeven|TheSeven]] 00:00, 4 January 2011 (UTC) Can you point me to any sort of information that would help me do it? The IPL site is down currently, no idea when it will be up. I do have the files found on SourceForge, but they are not very recent. I also have no experience with this, and don't want to brick my iPod. However, I may be able to get a spare Nano 2G to try it on. Thanks. --[[User:ArthuruhtrA|ArthuruhtrA]] I found [http://ipl.derpapst.eu/ this] mirror of the ipl site last updated in '09. That is more recent. --[[User:ArthuruhtrA|ArthuruhtrA]] :I don't have much more either, and I don't think there are newer files. iPodLinux hasn't really been developed any more for quite some time now. As this is a completely different architecture, I would suggest throwing the iPL kernel away and starting from a recent vanilla kernel, but I haven't really dealt with Linux kernels myself yet, so I probably can't help you much with this. --[[User:TheSeven|TheSeven]] 07:23, 5 January 2011 (UTC) If I can port it, will you create the installer/incorporate it into what you have? And can you help me with porting to an extent? I bet you know more about it then I do. I got the latest kernel from linux.org (released yesterday) and the old kernel from ipl, and will look in them, and hopefully find something that I can do, but I don't quite know what I'm doing, as I don't quite understand the ipod as well as you. Should I be using the uCLinux kernel instead? --[[User:ArthuruhtrA|ArthuruhtrA]] :I really don't know anything about embedded Linux. IIUC uCLinux is a fork of Linux 2.4 for MMU-less systems, but someone told me that the Linux 2.6 branch supports those natively. That's about everything I can tell you regarding Linux. I will of course be able to help you on the hardware side of things, i.e. answer questions about the hardware and the drivers emBIOS uses. What I certainly won't to is incorporating any kind of non-FAT filesystem support into my tools, as this would be a huge amount of work. But if the user handles creating an e.g. ext2 partition himself and the installer only needs to copy some files and add Linux to the iLoader menu, that's rather trivial. --[[User:TheSeven|TheSeven]] 13:13, 7 January 2011 (UTC) == spoke of spam == We are having a lot of orphaned spam pages being generated. As I do not have the right to delete the pages, I have emptied their contents. The easiest way to find them is to go to the orphaned pages page, and look at the obvious spam. I would like the right to delete them, however your knowing of them is sufficient. :It probably isn't a good idea to blank out these pages, as this produces even more spam in the "recent changes" list, and associates your account with those pages, making it harder to track things down and ban the right users/IPs. I usually look through every single edit on this wiki at least once a day, so I'll probably see them myself. However, if you want to speed things up, go to our IRC channel and notify me or Farthen, and we'll clean it up. Thanks for your help! --[[User:TheSeven|TheSeven]] 14:08, 27 January 2011 (UTC) c5cc2ab5d852140231440de0e134a88664f55090 0 122 3675 3360 2011-01-27T14:33:43Z Farthen 28 Fix some broken links (they were outdated but still broken :) wikitext text/x-wiki {{Outdated|reason=This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.}} The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the freemyipod team will gladly help you out on IRC if you encounter any problems. == Setup == OK, so here's how to help out: first of all download a copy of [http://freemyipod.org/w/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://freemyipod.org/w/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go. This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off. Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time. == Known problems == Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine. As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_downgrading|firmware downgrading]]. == Steps == # Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it. # Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios: ## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off ## The iPod works completely normally. You can navigate menus, play music, etc. without any problems. ## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes ## The iPod freezes up entirely. # The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first! Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table! == Table of reserved or tested files == {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Starting filename ! Ending filename ! Status |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm | a080b3f04.htm | Tested |- | watto | 4G Nano | 1.0.3 | Windows | a080b4004.htm | a080b7f04.htm | Reserved |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0104.htm | a080c1004.htm | Tested |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0a04.htm | a080d0f04.htm | Tested (All #1) |- | clueX | 4G Nano | 1.0.3 | Windows | a080d0104.htm | a080d1004.htm | Tested (All #1, except a080d0304 #4) |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080d1104.htm | a080d2f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08010b04.htm | a08027f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08050104.htm | a08057f04.htm | Tested |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a0a04 | a080a1904 | Tested Results Below |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a2004.htm | a080a5904.htm | Tested! |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080a6104.htm | a080c7f04.htm | Tested |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080d0104.htm | a080d7f04.htm | Tested |- | BlackLotus | 3G Nano | 1.1.3 | Windows | a080e0104.htm | a080e7f04.htm | Reserved |- | tucenaber | 3G Nano | 1.1.3 | Windows | a080f0104.htm | a080f7f04.htm | Tested |- | JoeWheeler | 3G Nano | 1.1.3 | Windows | a08100104.htm | a08100904.htm | Reserved |} == Table of non-#1 (or non-#4) behaviors == If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary. {| class="wikitable" |- ! Username ! iPod generation ! Firmware version ! Windows/Mac ! Sweep filename ! Behavior type ! Notes |- | Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |- | 3mpty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |- | PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |- | farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |- | farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |- | Superandy | 3G Nano | 1.1.3 | Windows | a08010c04 | Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :) Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze. | Pretty cool |- | Jwnordquist | 2G Nano | latest | Windows | a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm | #4 | |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm | #4 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | Farthen | 4G Nano | 1.0.3 | Windows | a080a2f04.htm, a080a3a04.htm, | #2 | I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer. |- | watto | 4G Nano | 1.0.3 | Windows | a080a4f04.htm, a080a6c04 to a080a7504 inc. | #4 | Same result with crash and freeze files. |- | watto | 4G Nano | 1.0.3 | Windows | a080a5c04.htm | #2 | Same result with crash and freeze files. |- | kylemsguy | 4G Nano | 1.0.3 | Windows | a080c0304.htm | #4 | The results for the sweep files were the same |- | Eosphere46 | 3G Nano | 1.1.3 | Windows | a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm | #4 | Same result with crash and freeze files, they both froze. |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm | #2 | Same result for both freeze & crash files |- | tucenaber | 3G Nano | 1.1.3 | Windows | a08012b04.htm a08026104.htm | #4 for sweepfreeze #1 for sweepcrash! | Seems interesting to me but these are low addresses (below a080a2004) |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a2f04.htm a080a3a04.htm a080a5c04.htm |#2 for sweepfreeze #2 for sweepcrash |Probably nothing much, but check it out. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a4b04.htm |VERY Strange..hard to describe ¹ |Check this out.. Same for the sweepcrash.. |- |Eosphere46 |3G Nano |1.1.3 |Windows |a080a1004.htm |#3 |Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3... |- |KAB123 |2G Classic |2.0.1 |Windows |09196804.htm 08334d04.htm |#4 for sweepfreeze, #4 for sweepcrash. | |} ¹ - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM] adc76020cf6a2b1ddfb78eaa4126b16351a15747 0 323 3682 2011-02-04T12:21:23Z Farthen 28 Created page with "emCORE is a fork of [[emBIOS]] which aims at even more flexibility. It supports/enforces dynamic memory allocation and the apps are runtime-relocatable. It supports libraries whi..." wikitext text/x-wiki emCORE is a fork of [[emBIOS]] which aims at even more flexibility. It supports/enforces dynamic memory allocation and the apps are runtime-relocatable. It supports libraries which can extend the functionality of shared code even more. emCORE can be seen as an experiment about how bad memory fragmentation can be on these small devices and about the other side effects of using this approach. It may or may not supersede emBIOS. (well, it probably will but not yet) These features make emCORE much more powerful and extendable and are a great leap forward to accomplish our goal of making a really flexible but also lightweight operating system for embedded ARM devices with debugging and threading built in. ==Building== Getting and building emCORE is pretty much the same as building [[emBIOS]]. There are automatic builds available on [http://builds.freemyipod.org/ our buildserver], too. 99b0f83e8d15a2a85f6a2c09537403f50e1af719 3801 3682 2011-03-28T19:19:45Z TheSeven 13 wikitext text/x-wiki ==emCORE kernel== emCORE is a lightweight alternative operating system for iPods (and possibly other devices one day). ===Features=== * Preemptive multitasking * Can run multiple independent apps at the same time * Shared library support * USB debugging API * FAT32 file system access * LCD text console and graphics API * Can run other kernels (such as Rockbox) through a kexec-like interface * ~75KB executable size, ~110KB RAM usage (plus LCD frame buffer) ==emCORE boot menu== When emCORE is installed, the emCORE boot menu is installed as the default autostart app. Depending on the device it offers various boot options. 08ba7ac1cf950d9cd4202b344110e6e66c68d59d 0 324 3684 2011-02-07T13:27:41Z TheSeven 13 Created page with "{| class="wikitable" ! Gate !! Function |- | 0 | SHA1 accelerator |- | 1 | LCD controller? |- | 2 | USB-related |- | 3 | Unknown, masking crashes immediately |- | 4 | Unknown..." wikitext text/x-wiki {| class="wikitable" ! Gate !! Function |- | 0 | SHA1 accelerator |- | 1 | LCD controller? |- | 2 | USB-related |- | 3 | Unknown, masking crashes immediately |- | 4 | Unknown, masking crashes after some milliseconds |- | 5 | ATA controller |- | 6 | Unknown (masked by default) |- | 7 | I2S controller |- | 8 | Unknown (running by default) |- | 9 | Unknown (masked by default) |- | 10 | AES coprocessor |- | 11 | Unknown (masked by default) |- | 12 | Unknown (running by default) |- | 13 | Unknown (running by default) |- | 14 | Unknown (masked by default) |- | 15 | Unknown (masked by default) |- | 16 | Unknown (masked by default) |- | 17 | Unknown (masked by default) |- | 18 | Unknown (masked by default) |- | 19 | Unknown (running by default) |- | 20 | Unknown (running by default) |- | 21 | Unknown (running by default) |- | 22 | Unknown (running by default) |- | 23 | Unknown (running by default) |- | 24 | Unknown (running by default) |- | 25 | Unknown (running by default) |- | 26 | Unknown (running by default) |- | 27 | Unknown (running by default) |- | 28 | Unknown (running by default) |- | 29 | Unknown (masked by default) |- | 30 | Unknown (running by default) |- | 31 | Unknown (running by default) |- | 32 | Unknown (masked by default) |- | 33 | Clickwheel controller? |- | 34 | SPI0 (NOR flash) |- | 35 | USB-related |- | 36 | I2C controller 0 |- | 37 | Unknown, masking crashes after some milliseconds |- | 38 | Unknown (masked by default) |- | 39 | Unknown (masked by default) |- | 40 | Unknown (masked by default) |- | 41 | Unknown (masked by default) |- | 42 | Unknown (masked by default) |- | 43 | SPI1? (unconnected) |- | 44 | Unknown (running by default) |- | 45 | Unknown (masked by default) |- | 46 | Unknown (masked by default) |- | 47 | SPI2? (unconnected) |- | 48 | Unknown (masked by default) |- | 49 | Unknown (masked by default) |} 5841ce82a85e0d413e53ba4e33abaf41fe92d62d 3685 3684 2011-02-07T13:30:28Z TheSeven 13 wikitext text/x-wiki {| class="wikitable" ! Gate !! Function |- | 0 | SHA1 accelerator |- | 1 | LCD controller? |- | 2 | USB-related |- | 3 | Unknown, masking crashes immediately |- | 4 | Unknown, masking crashes after some milliseconds |- | 5 | ATA controller |- | 6 | Unknown (masked by default) |- | 7 | I2S controller |- | 8 | Unknown (running by default) |- | 9 | Unknown (masked by default) |- | 10 | AES coprocessor |- | 11 | Unknown (masked by default) |- | 12 | Unknown (running by default) |- | 13 | Unknown (running by default) |- | 14 | Unknown (masked by default) |- | 15 | Unknown (masked by default) |- | 16 | Unknown (masked by default) |- | 17 | Unknown (masked by default) |- | 18 | Unknown (masked by default) |- | 19 | Unknown (running by default) |- | 20 | Unknown (running by default) |- | 21 | Unknown (running by default) |- | 22 | Unknown (running by default) |- | 23 | Unknown (running by default) |- | 24 | Unknown (running by default) |- | 25 | Unknown (running by default) |- | 26 | Unknown (running by default) |- | 27 | Unknown (running by default) |- | 28 | Unknown (running by default) |- | 29 | Unknown (masked by default) |- | 30 | Unknown (running by default) |- | 31 | Unknown (running by default) |- | 32 | Unknown (masked by default) |- | 33 | Clickwheel controller? |- | 34 | SPI0 (NOR flash) |- | 35 | USB-related |- | 36 | I2C controller 0 |- | 37 | Unknown, masking crashes after some milliseconds |- | 38 | Unknown (masked by default) |- | 39 | Unknown (masked by default) |- | 40 | Unknown (masked by default) |- | 41 | Unknown (masked by default) |- | 42 | Unknown (masked by default) |- | 43 | SPI1? (unconnected) |- | 44 | GPIO controller |- | 45 | Unknown (masked by default) |- | 46 | Unknown (masked by default) |- | 47 | SPI2? (unconnected) |- | 48 | Unknown (masked by default) |- | 49 | Unknown (masked by default) |} 7c2b9355f82f957dee7871474aa7f5527ff5246c 3686 3685 2011-02-07T17:12:59Z TheSeven 13 wikitext text/x-wiki {| class="wikitable" ! Gate !! Function |- | 0 | SHA1 accelerator |- | 1 | LCD controller? |- | 2 | USB-related |- | 3 | Unknown, masking crashes immediately |- | 4 | Unknown, masking crashes after some milliseconds |- | 5 | ATA controller |- | 6 | Unknown (masked by default) |- | 7 | I2S controller |- | 8 | Unknown (running by default) |- | 9 | Unknown (masked by default) |- | 10 | AES coprocessor |- | 11 | Unknown (masked by default) |- | 12 | Unknown (running by default) |- | 13 | Unknown (running by default) |- | 14 | Unknown (masked by default) |- | 15 | Unknown (masked by default) |- | 16 | Unknown (masked by default) |- | 17 | Unknown (masked by default) |- | 18 | Unknown (masked by default) |- | 19 | Unknown (running by default) |- | 20 | Unknown (running by default) |- | 21 | Unknown (running by default) |- | 22 | Unknown (running by default) |- | 23 | Unknown (running by default) |- | 24 | Unknown (running by default) |- | 25 | DMA controller 0 |- | 26 | Unknown (running by default) |- | 27 | Unknown (running by default) |- | 28 | Unknown (running by default) |- | 29 | Unknown (masked by default) |- | 30 | Unknown (running by default) |- | 31 | Unknown (running by default) |- | 32 | Unknown (masked by default) |- | 33 | Clickwheel controller? |- | 34 | SPI0 (NOR flash) |- | 35 | USB-related |- | 36 | I2C controller 0 |- | 37 | Unknown, masking crashes after some milliseconds |- | 38 | Unknown (masked by default) |- | 39 | Unknown (masked by default) |- | 40 | Unknown (masked by default) |- | 41 | Unknown (masked by default) |- | 42 | Unknown (masked by default) |- | 43 | SPI1? (unconnected) |- | 44 | GPIO controller |- | 45 | Unknown (masked by default) |- | 46 | Unknown (masked by default) |- | 47 | SPI2? (unconnected) |- | 48 | Unknown (masked by default) |- | 49 | Unknown (masked by default) |} 50ed077d82a13df0ee8afe2304472da771e35b7e 0 325 3689 2011-02-09T20:22:31Z TheSeven 13 Created page with "<pre> 0x3c500000: CLKCON0 (00003000) Bits 0-3: CPU clock divider factor (n+1) Bit 4: CPU clock divider enable Bits 12-13: CPU clock source (0: OSC, 1-3: PLL0-2) 0x3c500004: CLK..." wikitext text/x-wiki <pre> 0x3c500000: CLKCON0 (00003000) Bits 0-3: CPU clock divider factor (n+1) Bit 4: CPU clock divider enable Bits 12-13: CPU clock source (0: OSC, 1-3: PLL0-2) 0x3c500004: CLKCON1 (00404101) Bits 8-15: AHB=>APB divider Bits 16-23: CPU=>AHB divider 0x3c500008: CLKCON2 (80008000) 0x3c50000c: CLKCON3 (80008000) 0x3c500010: CLKCON4 (00008000) 0x3c500014: CLKCON5 (00008000) Bits 0-3: Clock divider factor (n+1) Bit 3: Clock divider enable Bits 12-13: Clock source (0: OSC, 1-2: PLL0-2) Bit 15: Disable clock 0x3c500018: Unknown (00000000) 0x3c50001c: Unknown (00000000) 0x3c500020: PLL0PMS (01002402: P=1, M=36, S=4) m: 294912Hz, d: 216000000Hz 0x3c500024: PLL1PMS (2700a900: P=39, M=169, S=1) m: 215973888Hz, d: 104000000Hz 0x3c500028: PLL2PMS (01002401: P=1, M=36, S=2) m: 589824Hz, d: 432000000Hz 0x3c50002c: PLL3PMS (00000000: invalid) Bits 0-1: SDIV (2^n) Bits 8-17: MDIV Bits 24-29: PDIV 0x3c500030: PLL0LCNT (00000e10) 0x3c500034: PLL1LCNT (00000000) 0x3c500038: PLL2LCNT (00007e90) 0x3c50003c: PLL3LCNT (00000000) 0x3c500040: PLLLOCK (00000044) Bits 0-3: PLL 0-3 locked 0x3c500044: PLLMODE (00040034) Bits 0-3: PLL 0-3 enable Bits 4-7: PLL 0-3 mode (0: multiply, 1: divide) 0x3c500048: PWRCON0 (fdffffe1) 0x3c50004c: PWRCON1 (0003efd5) 0x3c500050: Unknown (00000000) 0x3c500054: Unknown (00000001) 0x3c500058: PWRCON2 (00000000) 0x3c50005c: Unknown (00000000) 0x3c500060: Unknown (00000000) 0x3c500064: Unknown (00000000) 0x3c500068: PWRCON3 (00000000) 0x3c50006c: PWRCON4 (00000000) 0x3c500070: Unknown (00000000) 0x3c500074: Unknown (00000000) 0x3c500078: Unknown (00000000) 0x3c50007c: Unknown (00000000) </pre> 0502370745b77a4d6741511a9e342b189df5dc36 0 65 3690 3293 2011-02-09T20:49:44Z Benedikt93 145 add n6g identify link wikitext text/x-wiki This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page ==iPod Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#scrollwheel 1G] | 2001-10 | 5 GB or 10 GB | |- | [http://support.apple.com/kb/HT1353#touchwheel 2G] | 2002-07 | 10 GB or 20 GB | |- | [http://support.apple.com/kb/HT1353#dockconnector 3G] | 2003-04 | 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB | |- | [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)] | 2004-07 | 20 GB or 40 GB | |- | [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)] | 2004-10 | 20 GB, 30 GB, or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)] | 2005-10 | 30 GB or 60 GB | |- | [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)] | 2006-09 | 30 GB or 80 GB | |- | [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G] | 2007-09 | 80 GB or 160 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G] | 2008-09 | 120 GB | |- | [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G] | 2009-09 | 160 GB | |} ==iPod Nano Series== {| class="wikitable" ! Model !! Introduced !! Capacity !! Notes |- | [http://support.apple.com/kb/HT1353#ipodnano Nano 1G] | 2005-09 | 1 GB, 2 GB, or 4 GB | |- | [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G] | 2006-09 | 2 GB, 4 GB, or 8 GB | Encryption starts |- | [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G] | 2007-09 | 4 GB or 8 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G] | 2008-09 | 8 GB or 16 GB | |- | [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G] | 2009-09 | 8 GB or 16 GB | |- | [http://support.apple.com/kb/HT1353#iPod_Nano_6G Nano 6G] | 2010-09 | 8 GB or 16 GB | Multi-Touch display |} ==Timeline== [[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]] ==The Motive== Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought. ==The Response== Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G. ==The Change== In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer. ==Helpful Pages== http://support.apple.com/kb/HT1353 17339d788e8435cf017757e2b0e304ad2367ff67 0 326 3701 2011-02-13T17:28:06Z TheSeven 13 Created page with "== Known Bugs == * Monitor console does nonsense if under high pressure * Intermittent boot menu lockups might be a kernel bug * Shutdown while under heavy load locks up == Feat..." wikitext text/x-wiki == Known Bugs == * Monitor console does nonsense if under high pressure * Intermittent boot menu lockups might be a kernel bug * Shutdown while under heavy load locks up == Feature Requests == 63125ba5fca6b32dfda23a1a29a05720600b1831 0 121 3724 3357 2011-02-21T23:27:41Z TheSeven 13 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | iBugger<ref name="ibugger"/> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> | <span style="color:grey">'''Yes'''<ref name="sram"/></span> |- | emBIOS | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''80GB model only'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="ibugger">[[iBugger]] is being replaced with [[emBIOS]].</ref> <ref name="sram">This iBugger version is very limited as we only have access to the SRAM. This is because the bigger SDRAM is not initialized at the time when our exploit is launched. Someone needs to figure out how to initialize it.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> 7d2c98c989563dec9ac0d5ed8a5ede60496b172c 3789 3724 2011-03-25T17:34:30Z Farthen 28 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> 1320d5e1adae62c4c28da3bcca9ed5ba1dfcfc75 0 245 3738 3337 2011-03-01T15:22:36Z TheSeven 13 wikitext text/x-wiki [[Image:classic_1g_frt_a.png|500px]] [[Image:classic_1g_bck_a.png|500px]] ==Terminology== By iPod classic 1g we mean the first iPod released by Apple that had the 'classic' name. It was available in sizes of 80GB and 160GB. ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 | | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | [http://www.cirrus.com/en/pubs/proDatasheet/CS42L55_F1.pdf Cirrus Logic CS42L55] | APPLE, 338S0394, A1GIO736, MAL | |- | 1 | Power manager | NXP PCF50635 | APPLE, 338S0445, 2114.102, ZPD7383Y | |- | 6 | USB charging | LTC4066 | | |} ==Helpful pages== Teardowns: *TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back] Other: *http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html 7eef160adb6e1cb18478c587e333a325fa9ff703 0 247 3739 3358 2011-03-01T15:23:09Z TheSeven 13 wikitext text/x-wiki [[Image:Front_3g.jpg|500px]] [[Image:Back_3g.jpg|500px]] iPod classic MC293, 160GB, silver No better teardown pictures of the Classic 3G have been found or made by us yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ a basic guide of the non-electronic differences] by iLounge. Since the model number is the same as the [[Classic 2G]], there probably aren't any worthwhile (if any) in the hardware. ==Terminology== By iPod classic 3g we mean the re-introduced 160GB version of the classic which was announced on September 9 2009. It is the same size as the [[Classic 2G]]. ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | Samsung S5L8702 |337S3526 8702 N26P9U4 1011 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | [http://www.cirrus.com/en/pubs/proDatasheet/CS42L55_F1.pdf Cirrus Logic CS42L55] | APPLE 338S0394 AICK0952 MAL | |- | 1 | Power manager | NXP PCF50635 | APPLE 338S0445 78030 82 D780113 | |- | 6 | USB charging | LTC4066 |4066T 84453 | |} e0f18e9bcf46645b61ef4065d31b5aad83e16a95 2 328 3751 2011-03-06T21:22:36Z User890104 124 Created page with "My name is Vencislav Atanasov. I am from Bulgaria. I enjoy writing pieces of software, mainly to improve my experience and knowledge. I own some iPods: a 4G one (color/photo), a ..." wikitext text/x-wiki My name is Vencislav Atanasov. I am from Bulgaria. I enjoy writing pieces of software, mainly to improve my experience and knowledge. I own some iPods: a 4G one (color/photo), a 2G Nano, a 3G Nano and a 4G Nano. I am providing the project with iPod Nano 2G and iPod classic emCORE installer builds, which are not suitable for everyday use, but if you feel adventurous, you can try them on your device. Detailed instruction on how to do this are available in the wiki. The binaries can be found at http://builds.freemyipod.org/ I am also working on a project that would provide easy access to iPod's internal storage using emCORE's monitor protocol, libusb and FUSE. It is still a proof-of-concept, so it's not even usable. If you are curious about my current progress, you can check it out at http://svn.sofyma.com/svn/Venci/emcorefs/trunk/ I would be happy to help anyone who has issues with his iLoader installation on a Nano 2G (because I have a device of that model). Please ask in the IRC channel, and if I am available, I'll try to answer your question. aad77d8482c75997fb7ff475203f04f67ece53ba 0 267 3786 3336 2011-03-25T16:59:54Z Farthen 28 discontinue emBIOS wikitext text/x-wiki {{Template:Outdated|reason=emBIOS was discontinued on {{#dateformat:2011-03-25}} and superseded by [[emCORE]]}} [[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]] emBIOS ('''em'''bedded '''BIOS''') is best described as a hardware abstraction with threading and debugging capabilities built in. It was superseded by [[emCORE]]. It simplified development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempted to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse. emBIOS was designed with portability in mind. It should have also been able to be run on other devices like the BeagleBoard if someone would have ported the necessary drivers. If you're curious about how emBIOS worked, you can browse its last SVN revision before its official death [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/&rev=672&peg=672 here]. ==Building== If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. Here are the basic steps to compiling emBIOS for your iPod: * Check out the Freemyipod [[SVN]]. * Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path. * Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN. * You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver] * If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix. So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do: <code>CROSS=arm-elf-eabi- make ipodnano2g</code> ==Using== To communicate with emBIOS use the embios.py python script in the [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/trunk/tools/&rev=672&peg=672 /embios/trunk/tools] folder of our SVN. You need to have libusb, python and pyusb 1.x for this to work. Simply run embios,py without any arguments to get a list of possible commands. You can upload and download from/to the memory, read the i2c bus, run emBIOS applications or complete firmware files and much more. Just try it out! d7bb9879804fa6663c9895a41fcddb48bb727452 0 330 3800 2011-03-28T18:12:47Z TheSeven 13 Created page with "We're currently reworking the installation instructions. Please check again in a few days." wikitext text/x-wiki We're currently reworking the installation instructions. Please check again in a few days. f9c5b0744c56058d0b2b86d6f6b96ac6cc8b68a2 0 331 3802 2011-03-28T19:56:42Z TheSeven 13 Created page with "This wizard will guide you through the installation process of [[emCORE]]. '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI..." wikitext text/x-wiki This wizard will guide you through the installation process of [[emCORE]]. '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Please select the type of your device below: * [[EmCORE_Installation/iPod|Apple iPod]] * [[EmCORE_Installation/UnsupportedDevice|Other device type]] 69447d8832243e1ea1ebe2ae72c6abbf228d765b 0 332 3803 2011-03-28T20:11:40Z TheSeven 13 Created page with "Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system ..." wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. 68e1a9951162eab6b54ab9f7cce72d2d89e88469 0 333 3804 2011-03-28T20:49:43Z TheSeven 13 Created page with "Please select the type of your iPod below: * [[EmCORE_Installation/PPiPod|iPod 1G (2001, 5/10GB)]] * [[EmCORE_Installation/PPiPod|iPod 2G (2002, 10/20GB)]] * [[EmCORE_Installatio..." wikitext text/x-wiki Please select the type of your iPod below: * [[EmCORE_Installation/PPiPod|iPod 1G (2001, 5/10GB)]] * [[EmCORE_Installation/PPiPod|iPod 2G (2002, 10/20GB)]] * [[EmCORE_Installation/PPiPod|iPod 3G (2003, 10/15/20/30/40GB)]] * [[EmCORE_Installation/PPiPod|iPod 4G (2004, 20/40GB)]] * [[EmCORE_Installation/PPiPod|iPod Photo (2004, 30/40/60GB)]] * [[EmCORE_Installation/PPiPod|iPod 5G/5.5G/Video (2005-2006, 30/60/80GB)]] * [[EmCORE_Installation/iPodClassic|iPod 6G/6.5G/7G (Classic 1G/2G/3G) (2007-2011, 80/120/160GB)]] * [[EmCORE_Installation/PPiPod|iPod Mini 1G (4GB)]] * [[EmCORE_Installation/PPiPod|iPod Mini 2G (4/6GB)]] * [[EmCORE_Installation/PPiPod|iPod Nano 1G (2005, 1/2/4GB)]] * [[EmCORE_Installation/iPodNano2G|iPod Nano 2G (2006, 2/4/8GB)]] * [[EmCORE_Installation/iPodNano3G|iPod Nano 3G (2007, 4/8GB)]] * [[EmCORE_Installation/iPodNano4G|iPod Nano 4G (2008, 4/8/16GB)]] * [[EmCORE_Installation/iPodNano5G|iPod Nano 5G (2009, 8/16GB, camera)]] * [[EmCORE_Installation/iPodNano6G|iPod Nano 6G (2010, 8/16GB, touchscreen)]] * [[EmCORE_Installation/UnsupportedDevice|Other iPod generation]] If in doubt, please check the manufacturer's web site for details: [http://support.apple.com/kb/ht1353] 82a9e7a8a9172a83549a742f907aa8ed54a0f333 3805 3804 2011-03-28T20:50:04Z TheSeven 13 wikitext text/x-wiki Please select the type of your iPod below: * [[EmCORE_Installation/PPiPod|iPod 1G (2001, 5/10GB)]] * [[EmCORE_Installation/PPiPod|iPod 2G (2002, 10/20GB)]] * [[EmCORE_Installation/PPiPod|iPod 3G (2003, 10/15/20/30/40GB)]] * [[EmCORE_Installation/PPiPod|iPod 4G (2004, 20/40GB)]] * [[EmCORE_Installation/PPiPod|iPod Photo (2004, 30/40/60GB)]] * [[EmCORE_Installation/PPiPod|iPod 5G/5.5G/Video (2005-2006, 30/60/80GB)]] * [[EmCORE_Installation/iPodClassic|iPod 6G/6.5G/7G (Classic 1G/2G/3G) (2007-2011, 80/120/160GB)]] * [[EmCORE_Installation/PPiPod|iPod Mini 1G (4GB)]] * [[EmCORE_Installation/PPiPod|iPod Mini 2G (4/6GB)]] * [[EmCORE_Installation/PPiPod|iPod Nano 1G (2005, 1/2/4GB)]] * [[EmCORE_Installation/iPodNano2G|iPod Nano 2G (2006, 2/4/8GB)]] * [[EmCORE_Installation/iPodNano3G|iPod Nano 3G (2007, 4/8GB)]] * [[EmCORE_Installation/iPodNano4G|iPod Nano 4G (2008, 4/8/16GB)]] * [[EmCORE_Installation/iPodNano5G|iPod Nano 5G (2009, 8/16GB, camera)]] * [[EmCORE_Installation/iPodNano6G|iPod Nano 6G (2010, 8/16GB, touchscreen)]] * [[EmCORE_Installation/UnsupportedDevice|Other iPod generation]] If in doubt, please check the manufacturer's web site for details: [http://support.apple.com/kb/ht1353] e6690d9074400b41fbc66325854a569b3dd0d35f 3806 3805 2011-03-28T20:50:57Z TheSeven 13 wikitext text/x-wiki Please select the type of your iPod below: * [[EmCORE_Installation/PPiPod|iPod 1G (2001, 5/10GB)]] * [[EmCORE_Installation/PPiPod|iPod 2G (2002, 10/20GB)]] * [[EmCORE_Installation/PPiPod|iPod 3G (2003, 10/15/20/30/40GB)]] * [[EmCORE_Installation/PPiPod|iPod 4G (2004, 20/40GB)]] * [[EmCORE_Installation/PPiPod|iPod Photo (2004, 30/40/60GB)]] * [[EmCORE_Installation/PPiPod|iPod 5G/5.5G/Video (2005-2006, 30/60/80GB)]] * [[EmCORE_Installation/iPodClassic|iPod 6G/6.5G/7G (Classic 1G/2G/3G) (2007-2011, 80/120/160GB)]] * [[EmCORE_Installation/PPiPod|iPod Mini 1G (4GB)]] * [[EmCORE_Installation/PPiPod|iPod Mini 2G (4/6GB)]] * [[EmCORE_Installation/PPiPod|iPod Nano 1G (2005, 1/2/4GB)]] * [[EmCORE_Installation/iPodNano2G|iPod Nano 2G (2006, 2/4/8GB)]] * [[EmCORE_Installation/iPodNano3G|iPod Nano 3G (2007, 4/8GB)]] * [[EmCORE_Installation/iPodNano4G|iPod Nano 4G (2008, 4/8/16GB)]] * [[EmCORE_Installation/iPodNano5G|iPod Nano 5G (2009, 8/16GB, camera)]] * [[EmCORE_Installation/iPodNano6G|iPod Nano 6G (2010, 8/16GB, touchscreen)]] * [[EmCORE_Installation/iPodShuffle|iPod Shuffle]] * [[EmCORE_Installation/iPodTouch|iPod Touch]] * [[EmCORE_Installation/UnsupportedDevice|Other iPod generation]] If in doubt, please check the manufacturer's web site for details: [http://support.apple.com/kb/ht1353] ea2ab5030ac4d4f38137b3bbbb10a3d2a9499ee1 0 334 3807 2011-03-28T21:11:30Z TheSeven 13 Created page with "Sorry, your device is not currently supported by [[emCORE]], and will probably never be. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of expe..." wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]], and will probably never be. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Your device uses a PortalPlayer CPU, which is completely different to the newer iPod generations, but is covered by iPodLinux reasonably well. Rockbox has its own bootloader for this device, so it doesn't need [[emCORE]] either. Given these facts, there doesn't seem to be much interest in an [[emCORE]] port to this device. e338085d6021d9c0bd2ac3a19cebbd9c11ce39f0 0 335 3808 2011-03-28T21:12:09Z TheSeven 13 Redirected page to [[EmCore Installation]] wikitext text/x-wiki #redirect [[emCore Installation]] 77932f347b55e23dae2a7d1b2db1d7a0d4d62a2e 3809 3808 2011-03-28T21:12:25Z TheSeven 13 Redirected page to [[EmCORE Installation]] wikitext text/x-wiki #redirect [[emCORE Installation]] 152b07d8ec23bf909a2c2d2ddd030afb64c4c1ea 0 336 3810 2011-03-28T21:24:48Z TheSeven 13 Created page with "Sorry, your device is not currently supported by [[emCORE]], and will probably never be. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of expe..." wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]], and will probably never be. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Given that your device has very limited means of user input and output, there doesn't seem to be much interest in an [[emCORE]] port to this device. 39761009f4b3a369a76da9bb925a7dcea8b21fbc 3812 3810 2011-03-28T21:26:33Z TheSeven 13 wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]], and will probably never be. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Given that your device has very limited means of user input and output, there doesn't seem to be much interest in an [[emCORE]] port to this device. 042ae8882115e0179bf622b7e9021d01b3f3599a 0 337 3811 2011-03-28T21:26:14Z TheSeven 13 Created page with "Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system ..." wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Given that it would take several years of work to reach a state where [[emCORE]] could compete with the features of the original firmware, there doesn't seem to be much interest in an [[emCORE]] port to this device. 2dbdcc5237e9372c9844a9267dde3a2787770e56 0 338 3813 2011-03-28T21:28:59Z TheSeven 13 Created page with "Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system ..." wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Given that your device is locked down heavily to prevent it from running non-approved code, an exploit needs to be found in order to port [[emCORE]] to it. This isn't an easy task at all, and so far nobody has accomplished it yet. 5842cb0c69f009b9f7f9126916ed81570f74264a 0 339 3814 2011-03-28T21:29:26Z TheSeven 13 Created page with "Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system ..." wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Given that your device is locked down heavily to prevent it from running non-approved code, an exploit needs to be found in order to port [[emCORE]] to it. This isn't an easy task at all, and so far nobody has accomplished it yet. fc3e7ca794028c1e1d36baae7fa7f5f648f56083 0 340 3815 2011-03-28T21:31:13Z TheSeven 13 Created page with "Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system ..." wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Your device is highly similar to the iPod Classic, which [[emCORE]] already supports, but there's still a significant amount of work left to be done before emCORE can be booted on it. 36e22ae16363eb56e29f7fb6371f1281befa4563 0 341 3816 2011-03-28T21:33:40Z TheSeven 13 Created page with "Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system ..." wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Your device is vaguely similar to other devices that [[emCORE]] supports, and [[emCORE]] can already be booted on it from a RAMDISK, but a significant amount of work remains before it can be permanently installed and access the device's flash memory. Until this work is done, the [[emCORE]] port to this device isn't of much use. 5318d525c0fb1d80101d281248ce402f98618104 0 342 3817 2011-03-28T21:35:15Z TheSeven 13 Created page with "Your device is fully supported by [[emCORE]], but installation instructions have yet to be written. Please check this page again in a few days." wikitext text/x-wiki Your device is fully supported by [[emCORE]], but installation instructions have yet to be written. Please check this page again in a few days. 8c2b88493e7e2069ac47fa1a722fa12e05de4c73 0 343 3818 2011-03-28T21:41:20Z TheSeven 13 Created page with "Is there already a third party firmware installed on your iPod? (Does it show anything else but an Apple logo during boot?) * [[EmCORE Installation/iPodClassic/ThirdParty|Yes]..." wikitext text/x-wiki Is there already a third party firmware installed on your iPod? (Does it show anything else but an Apple logo during boot?) * [[EmCORE Installation/iPodClassic/ThirdParty|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]] e41f31427d6aa957029cf17f3bbac094e1b6e502 0 344 3819 2011-03-28T21:42:43Z TheSeven 13 Created page with "Does that third party firmware offer you a way to run "UMSboot"? * [[EmCORE Installation/iPodClassic/ThirdPartyUMSboot|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]]" wikitext text/x-wiki Does that third party firmware offer you a way to run "UMSboot"? * [[EmCORE Installation/iPodClassic/ThirdPartyUMSboot|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]] df54d39cf6cc1b51e801563f4cec1769e7d3f839 0 345 3820 2011-03-28T21:44:44Z TheSeven 13 Created page with "Please plug your iPod into your computer and boot "UMSboot" now. Do you see a 64MB-sized USB drive called "UMSboot" connect to your computer, and can you access it? * [[EmCORE ..." wikitext text/x-wiki Please plug your iPod into your computer and boot "UMSboot" now. Do you see a 64MB-sized USB drive called "UMSboot" connect to your computer, and can you access it? * [[EmCORE Installation/iPodClassic/UMSboot|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]] e43f7f47e5a0de277af71d98d3b473bef2c2b37c 0 331 3821 3802 2011-03-28T21:47:30Z TheSeven 13 wikitext text/x-wiki This wizard will guide you through the installation process of [[emCORE]]. '''Please follow the instructions closely, step by step. If any doubts arise, please ask for support before playing around. You could permanently damage your device!''' '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Please select the type of your device below: * [[EmCORE_Installation/iPod|Apple iPod]] * [[EmCORE_Installation/UnsupportedDevice|Other device type]] e1c7f63dcdb06e64df33f30be7d4ba38772f70a1 3824 3821 2011-03-28T22:06:10Z TheSeven 13 wikitext text/x-wiki This wizard will guide you through the installation process of [[emCORE]]. '''Please follow the instructions closely, step by step. If any doubts arise, please ask for [[Contact|support]] before playing around. You could permanently damage your device!''' '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Please select the type of your device below: * [[EmCORE_Installation/iPod|Apple iPod]] * [[EmCORE_Installation/UnsupportedDevice|Other device type]] aa15e8e81e07c98188298b58aa3b730898c7e355 0 346 3822 2011-03-28T21:59:05Z TheSeven 13 Created page with "Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r674..." wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might still be a bunch of still unknwon bugs in the wild. * The boot menu occasionally locks up for a still unknown reason. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> a94b989c78d686b68af52bb48469faeac6116c2c 3823 3822 2011-03-28T22:01:26Z TheSeven 13 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknwon bugs in the wild. * The boot menu occasionally locks up for a still unknown reason. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 1a2d0491a3b0b82c1f0232c83375c7df3c40e026 3838 3823 2011-03-29T05:42:36Z Farthen 28 /* Release notes / Known issues */ wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up for a still unknown reason. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 06003fd95507c1cdeb547bbc63f6d36434a36cda 3860 3838 2011-04-05T23:46:32Z TheSeven 13 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up for a still unknown reason. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * The boot menu seems to cause some memory corruption. This does not seem to affect normal users though. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. ===Fixes / Improvements== * Disabled undervolting for the iPod Classic * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up for a still unknown reason. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * The boot menu seems to cause some memory corruption. This does not seem to affect normal users though. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> bb628506106e659226944f9e157a37df3b440ea0 3861 3860 2011-04-06T00:50:41Z TheSeven 13 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up for a still unknown reason. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * The boot menu seems to cause some memory corruption. This does not seem to affect normal users though. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up for a still unknown reason. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * The boot menu seems to cause some memory corruption. This does not seem to affect normal users though. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 16f03d0722ce0f92ce4f77f1be64bbf1d8c33920 3867 3861 2011-04-11T08:06:24Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up for a still unknown reason. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * The boot menu seems to cause some memory corruption. This does not seem to affect normal users though. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up for a still unknown reason. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * The boot menu seems to cause some memory corruption. This does not seem to affect normal users though. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 32352b54b1949c60a765cf9611ec81c476931e89 0 347 3825 2011-03-28T22:17:00Z TheSeven 13 Created page with "* Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Safely eject (or unmount on linux) that volume * ..." wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Safely eject (or unmount on linux) that volume * Disconnect your iPod from your PC * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) * Connect your iPod to your computer * Wait for the iPod's hard disk drive to connect and become accessible (this might take longer than a minute) * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (might take like half a minute sometimes) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! 37f0ae2f57ba9bf572ff2d951c605c45d2685b64 0 348 3826 2011-03-28T22:21:32Z TheSeven 13 Created page with "Which operating system are you using on your computer? * [[EmCORE Installation/iPodClassic/PrepareDFUWin|Windows (XP/Vista/7)]] * [[EmCORE Installation/iPodClassic/UnsupportedOS..." wikitext text/x-wiki Which operating system are you using on your computer? * [[EmCORE Installation/iPodClassic/PrepareDFUWin|Windows (XP/Vista/7)]] * [[EmCORE Installation/iPodClassic/UnsupportedOS|An older version of Windows]] * [[EmCORE Installation/iPodClassic/PrepareDFULinux|Linux]] * [[EmCORE Installation/iPodClassic/UnsupportedOS|Mac OS]] * [[EmCORE Installation/iPodClassic/UnsupportedOS|Something else]] 863657547392b362be2e610336cc87822cac582f 0 349 3827 2011-03-28T22:22:35Z TheSeven 13 Created page with "Sorry, your PC operating system is not supported. Please get access to either a Windows (XP or newer) or Linux computer to install [[emCORE]]." wikitext text/x-wiki Sorry, your PC operating system is not supported. Please get access to either a Windows (XP or newer) or Linux computer to install [[emCORE]]. bf7f9ca0e7cc3409e030368cfd965155c4959bca 0 350 3828 2011-03-28T22:23:45Z TheSeven 13 Created page with "While installing [[emCORE]] from linux is possible, the instructions for that have yet to be written. Please check this page again in a few days." wikitext text/x-wiki While installing [[emCORE]] from linux is possible, the instructions for that have yet to be written. Please check this page again in a few days. 7986b0524c515c5de1e068a48d103b453bb508f0 3845 3828 2011-03-30T17:40:25Z STeeF 88 DFU install instruction linux wikitext text/x-wiki * Connect the iPod to the computer, using the usb data cable. * Make sure the hold switch is turned off * Press and HOLD the Menu+Select buttons for about 15 seconds. At first the iPod might start, if its not started already. Second it will reboot (emCORE/emBIOS/iLoader) will show-up, keep holding the Menu+Select buttons untill the screen goes all dark. * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] or use a fresh copy of the [[SVN|svn tree]] to obtain the tools/ipoddfu folder. * Download [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu] and store it. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-r674-20110325.dfu' Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 7d59258b64c69c0cce3e8992149e845f8f8ae373 3846 3845 2011-03-30T17:46:39Z STeeF 88 Generalized the use of the Releases page, added Linux warning wikitext text/x-wiki * Connect the iPod to the computer, using the usb data cable. * Make sure the hold switch is turned off * Press and HOLD the Menu+Select buttons for about 15 seconds. At first the iPod might start, if its not started already. Second it will reboot (emCORE/emBIOS/iLoader) will show-up, keep holding the Menu+Select buttons untill the screen goes all dark. * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] or use a fresh copy of the [[SVN|svn tree]] to obtain the tools/ipoddfu folder. * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic.dfu' Your iPod should now turn on and connect a 64MB drive called "UMSboot". It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 9608685242738ed8faea1474be9146fba2b5819e 0 351 3829 2011-03-28T22:25:26Z TheSeven 13 Created page with "Do you have iTunes installed on your computer? * [[EmCORE Installation/iPodClassic/DFUiTunes]] * [[EmCORE Installation/iPodClassic/DFUNoiTunes]]" wikitext text/x-wiki Do you have iTunes installed on your computer? * [[EmCORE Installation/iPodClassic/DFUiTunes]] * [[EmCORE Installation/iPodClassic/DFUNoiTunes]] 35c97951ac860317cc879a73bb895af1cec00231 3831 3829 2011-03-28T22:50:53Z TheSeven 13 wikitext text/x-wiki Do you have iTunes installed on your computer? * [[EmCORE Installation/iPodClassic/DFUiTunes|Yes]] * [[EmCORE Installation/iPodClassic/DFUNoiTunes|No]] d28af057b42c17100c96fc6628821d05a1f72c95 3837 3831 2011-03-28T23:16:59Z TheSeven 13 wikitext text/x-wiki * Please make sure that you have at least .NET Framework 3.5 installed Do you have iTunes installed on your computer? * [[EmCORE Installation/iPodClassic/DFUiTunes|Yes]] * [[EmCORE Installation/iPodClassic/DFUNoiTunes|No]] 959ae13cb5bb1c77ad288674da608ca065422563 3842 3837 2011-03-29T15:50:52Z TheSeven 13 wikitext text/x-wiki Do you have iTunes installed on your computer? * [[EmCORE Installation/iPodClassic/DFUiTunes|Yes]] * [[EmCORE Installation/iPodClassic/ChooseMethod|No]] d20e4cd2ad70a696a5ab6bdee42fda63b97b0254 0 352 3830 2011-03-28T22:50:12Z TheSeven 13 Created page with "* Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] fi..." wikitext text/x-wiki * Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] file as well * Make sure iTunes is closed * Kill "AppleMobileDeviceService.exe" using the task manager * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Open the device manager * Find the "Apple Recovery (DFU) USB Driver" device (Should be in the "USB controllers" category) * Do a right click on it and choose "Update driver" * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] fc3b96bf5fbe25a4e2baf785ce4907be28bdccdf 3839 3830 2011-03-29T05:50:14Z JollyGood 270 details on how to kill a process wikitext text/x-wiki * Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] file as well * Make sure iTunes is closed * Kill "AppleMobileDeviceService.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Open the device manager * Find the "Apple Recovery (DFU) USB Driver" device (Should be in the "USB controllers" category) * Do a right click on it and choose "Update driver" * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] f508cd1ac8b0bec289a5c0a19bd0192aec243a64 3840 3839 2011-03-29T15:48:43Z TheSeven 13 wikitext text/x-wiki * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic_itunes.exe this] file * Make sure iTunes is closed * Kill "AppleMobileDeviceService.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Run bootstrap_ipodclassic_itunes.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 57af9285011865bfce1b7e86ea37eba8ad5620e9 3856 3840 2011-04-03T01:33:58Z Farthen 28 wikitext text/x-wiki * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic_itunes.exe this] file * Make sure iTunes is closed * Kill "AppleMobileDeviceHelper.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Run bootstrap_ipodclassic_itunes.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 7ecae0c49582b13955a9bbfc187598ffb7e9400a 0 353 3832 2011-03-28T22:52:01Z TheSeven 13 Created page with "* Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] fi..." wikitext text/x-wiki * Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] file as well * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. * Wait for Windows to ask you for a driver for this device * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 4df22195244e1107ef433e6381793ae3202acd2f 3841 3832 2011-03-29T15:50:09Z TheSeven 13 wikitext text/x-wiki * Make sure that you have .NET Framework 3.5 or later installed * Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] file as well * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. * Wait for Windows to ask you for a driver for this device * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 80db8c8ec237e9ca0d081fbd710149905aa500da 0 323 3833 3801 2011-03-28T22:55:36Z TheSeven 13 wikitext text/x-wiki ==emCORE kernel== emCORE is a lightweight alternative operating system for iPods (and possibly other devices one day). ===Features=== * Preemptive multitasking * Can run multiple independent apps at the same time * Shared library support * USB debugging API * FAT32 file system access * LCD text console and graphics API * Can run other kernels (such as Rockbox) through a kexec-like interface * ~75KB executable size, ~110KB RAM usage (plus LCD frame buffer) ==emCORE boot menu== When emCORE is installed, the emCORE boot menu is installed as the default autostart app. Depending on the device it offers various boot options. ==Installation instructions== There's an installation wizard available on [[EmCORE Installation|this page]]. 2dc8839e37a150e7e47cac5ee2764d0228d6c536 0 146 3834 3306 2011-03-28T22:56:52Z TheSeven 13 wikitext text/x-wiki {{Template:Outdated|reason=iLoader was discontinued on {{#dateformat:2011-03-25}} and superseded by the [[emCORE]] boot menu}} b67c80ac3f10a717059ed38bd59e293ded4efc06 0 330 3835 3800 2011-03-28T22:57:45Z TheSeven 13 Redirected page to [[EmCORE Installation]] wikitext text/x-wiki #redirect [[EmCORE Installation]] 87ac0391c83de27e91eed70fdf8e0b387ee6d589 0 116 3836 3305 2011-03-28T23:07:05Z TheSeven 13 wikitext text/x-wiki {{outdated|reason=Starting August 3, 2010, development of iBugger has stopped in favor of a more useful debugger in [[emCORE]].}} [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger Loader releases for the 2G and 4G Nanos. 2c6b8e008ea632e77e96964d2e539805e5930b06 0 354 3843 2011-03-29T15:52:05Z TheSeven 13 Created page with "Please choose the option that you feel more comfortable with: * [[EmCORE Installation/iPodClassic/InstalliTunes|Install iTunes]] * [[EmCORE Installation/iPodClassic/DFUNoiTunes|..." wikitext text/x-wiki Please choose the option that you feel more comfortable with: * [[EmCORE Installation/iPodClassic/InstalliTunes|Install iTunes]] * [[EmCORE Installation/iPodClassic/DFUNoiTunes|Install a custom device driver for the iPod]] 42f5bc9c7b853a040f64619d60fcc15939e93074 0 355 3844 2011-03-29T15:52:52Z TheSeven 13 Created page with "* Please install iTunes now * [[EmCORE Installation/iPodClassic/DFUiTunes|Next step]]" wikitext text/x-wiki * Please install iTunes now * [[EmCORE Installation/iPodClassic/DFUiTunes|Next step]] 2bfd9d45ea2412aab3a78afac265f8fa7110ae95 3849 3844 2011-03-30T22:20:43Z Farthen 28 wikitext text/x-wiki * Please install iTunes now. You can get it from http://www.apple.com/itunes/download/ * [[EmCORE Installation/iPodClassic/DFUiTunes|Next step]] cecb2a6e34f2dfcb0c2379bfcdc83caf6e73a317 3850 3849 2011-03-30T22:21:08Z Farthen 28 wikitext text/x-wiki * Please install iTunes now. You can get it from http://www.apple.com/itunes/download/. * [[EmCORE Installation/iPodClassic/DFUiTunes|Next step]] b919b091413d2cf55c94cb850c37748070aceb87 0 259 3847 3479 2011-03-30T22:16:15Z Farthen 28 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod-support === This is our support channel. '''If you have questions or problems concerning our software, this is the place to ask.''' You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support]. (Web client [http://webchat.freenode.net/?channels=freemyipod-support here]) === #freemyipod === This channel is for anything else related to the project, mainly focused on development. If you want to get a better knowledge about the technical details of something or want to [[Contributing|contribute]] to the project we would be glad to help you. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod]. (Web client [http://webchat.freenode.net/?channels=freemyipod here]) === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter]. (Web client [http://webchat.freenode.net/?channels=freemyipod-chatter here]) == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. 0466459c5740bcc3d3947146c0422e17ac355d6b 3848 3847 2011-03-30T22:18:41Z TheSeven 13 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod-support === This is our support channel. '''If you have questions or problems concerning our software, this is the place to ask.''' You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support]. (Web client [http://webchat.freenode.net/?channels=freemyipod-support here]) === #freemyipod === This channel is for anything else related to the project, mainly focused on development. If you want to get a better knowledge about the technical details of something or want to [[Contributing|contribute]] to the project we will be glad to help you. You can join it on [irc://irc.freenode.net/freemyipod #freemyipod]. (Web client [http://webchat.freenode.net/?channels=freemyipod here]) === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter]. (Web client [http://webchat.freenode.net/?channels=freemyipod-chatter here]) == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. bffa3d184121c7460d3ce303c1f37ed78989035d 3851 3848 2011-03-30T22:39:58Z Farthen 28 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod-support === This is our support channel. '''If you have questions or problems concerning our software, this is the place to ask.''' If you have questions about rockbox that are not iPod related, please look for support at [http://www.rockbox.org/ rockbox.org] and if you happen to have any question related to the original iPod firmware please ask elsewhere. * You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support]. (Web client [http://webchat.freenode.net/?channels=freemyipod-support here]) === #freemyipod === This channel is for anything else related to the project, mainly focused on development. If you want to get a better knowledge about the technical details of something or want to [[Contributing|contribute]] to the project we will be glad to help you. * You can join it on [irc://irc.freenode.net/freemyipod #freemyipod]. (Web client [http://webchat.freenode.net/?channels=freemyipod here]) === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. * You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter]. (Web client [http://webchat.freenode.net/?channels=freemyipod-chatter here]) == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. * You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. * You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. 659d9f806f36e55dc5102fb52d2a4ad08b2c4644 1 356 3852 2011-03-31T03:27:21Z Binavik 56 Nano 2G wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. 21fdc10369b22014700d13bb32939d8a3f8c5476 2 357 3853 2011-03-31T16:06:49Z Ksb2aus 295 Created page with "I have an ipod classic 120 GB. I got emcore and Rock are installed. When I go to update the Rockbox database for the first time it freezes and will not proceed. So as of right n..." wikitext text/x-wiki I have an ipod classic 120 GB. I got emcore and Rock are installed. When I go to update the Rockbox database for the first time it freezes and will not proceed. So as of right now I am just limited to games. I have searched the net and having found much. Is there a fix for this. I need help so I can have the full features of Rockbox. Thanks ksb2aus@yahoo.com ce848cf818a728936ff5118e3797aeb98f01fd75 0 52 3854 3539 2011-04-02T16:42:05Z User890104 124 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. ===Getting DFU mode on iPod Classic, Nano 3G and newer === # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU |- | Nano 2G | 1260 | 1220 |- | Nano 3G | 1262 | 1223/1224 |- | Nano 4G | 1263 | 1225 |- | Nano 5G | 1265 | 1231 |- | Nano 6G | 1266 | ???? |- | Classic 1G | 1261 | 1223 |- | Classic 2G | 1261 | 1223 |- | Classic 3G | 1261 | 1223 |} ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf c2461f84b001e97edb18a26f5375749e21705a01 3855 3854 2011-04-02T16:52:03Z User890104 124 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. ===Getting DFU mode on iPod Classic, Nano 3G and newer === # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU !! WTF |- | Nano 2G | 1260 | 1220 (1240?) | ???? |- | Nano 3G | 1262 | 1223/1224 | 1242 |- | Nano 4G | 1263 | 1225 | 1243 |- | Nano 5G | 1265 | 1231 | 1246 |- | Nano 6G | 1266 | ???? | ???? |- | Classic 1G | 1261 | 1223 | 1242? |- | Classic 2G | 1261 | 1223 | 1242? |- | Classic 3G | 1261 | 1223 | 1242? |} source: http://www.linux-usb.org/usb.ids ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf bd5753884a5d89f0effc9f60f8349ed6d75c188f 3857 3855 2011-04-05T02:47:07Z User890104 124 wikitext text/x-wiki Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. There's a recovery mode, that can be entered by holding down BACK+PLAY right after rebooting the device. ===Getting DFU mode on iPod Classic, Nano 3G and newer === # Make sure your iPod is turned on and connected to your computer. # Press the menu button and select (central) button simultaneously. # The iPod's screen will go black, and the Apple logo will shortly appear. # Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds. # Release the menu and select buttons. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs: {| class="wikitable" ! Device !! Normal !! DFU !! WTF |- | Nano 2G | 1260 | 1220 | 1240 |- | Nano 3G | 1262 | 1223/1224 | 1242 |- | Nano 4G | 1263 | 1225 | 1243 |- | Nano 5G | 1265 | 1231 | 1246 |- | Nano 6G | 1266 | 1232 | 1248 |- | Classic 1G | 1261 | 1223 | 1241 |- | Classic 2G | 1261 | 1223 | 1245 |- | Classic 3G | 1261 | 1223 | 1247 |} sources: http://www.linux-usb.org/usb.ids http://www.trejan.com/projects/ipod/phobos.html#DFURECOVERY ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 10840a2def9af1fda8884a2633115aa795484cbb 1 358 3858 2011-04-05T13:41:26Z Wintermute 279 Autoboot wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) 8cfcb3e8a04ded096da2efee22184e7e837cc171 3859 3858 2011-04-05T21:30:35Z Yar Chi 298 /* Autoboot */ wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) Put! Works as long as no errors... in the loaded boot menu has a choice - there I do not climb! Uploading once Rockbox:) and where the standard software? You can make so that it too was that? 6cb7679f9d1ed0910282c1b10526e8567f0e3ef2 3862 3859 2011-04-06T05:35:25Z Yar Chi 298 /* Autoboot */ wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) and where the standard software? You can make so that it too was that?[[User:Yar_Chi|Yar_Chi]] 20:30 , 5 April 2011 (UTC) 059ff7b44d736d68eb74fd377223de40684ef6d4 3865 3862 2011-04-09T15:30:07Z XXxHaydenxXx 172 /* ATA error: -11 */ new section wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) and where the standard software? You can make so that it too was that?[[User:Yar_Chi|Yar_Chi]] 20:30 , 5 April 2011 (UTC) == ATA error: -11 == When i click on rockbox i get this error. Is there anyway to fix this? I just installed EmCORE. 7b0cbe5870eff8cc17d07852e3c1922936bd0419 3866 3865 2011-04-10T08:16:52Z Benedikt93 145 wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) and where the standard software? You can make so that it too was that?[[User:Yar_Chi|Yar_Chi]] 20:30 , 5 April 2011 (UTC) == ATA error: -11 == When i click on rockbox i get this error. Is there anyway to fix this? I just installed EmCORE. : For others this was caused by a too old RockBox, so you might wan't to try upgrading it. --[[User:Benedikt93|Benedikt93]] 08:16, 10 April 2011 (UTC) e6910a3dea35e06b8a03ca3b5ff6963304f91cc3 0 295 3863 3589 2011-04-07T13:47:44Z User890104 124 s/(emBIOS|iLoader)/emCORE/g wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==Nano 2G== After installing or updating [[emCORE]], your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from [[SVN|the SVN]], a [http://www.python.org/ Python] interpreter, [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyUSB] and [http://files.freemyipod.org/misc/windows_driver.zip a driver] (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/emcore/trunk/tools/ this folder]. ===Recovery mode=== Sometimes [[emCORE]] may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter [[emCORE]] Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an [[emCORE]] build directly to manually fix the problem, or reinstall [[emCORE]], in case the problem was caused by a failed update. ====Uploading an [[emCORE]] installer==== After that, you need an installer binary. You can get the official version from [[EmCORE_Releases|the releases page]] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python emcoreldr.py run installer-*.ubi</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.ubi to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your [[emCORE]] installation. ====Uploading an [[emCORE]] binary==== You will need a known-working [[emCORE]] build, you can use one that you have built yourself, grab the latest from [http://builds.freemyipod.org/ the build server] by selecting the "bin" link for the device you need ('''not recommended''' because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python emcoreldr.py run emcore-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading emcore-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an [[emCORE]] console on your iPod's screen. It will say somethins similar to this: <pre>emCORE vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the emcore.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an [[emCORE]] Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains [[emCORE]] Loader. You can build one yourself (but only if you have access to a working [Nano2G]), or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, turn your iPod's HOLD switch on and enter the following command: <pre>python ipoddfu.py emcoreldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in [[emCORE]] Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> You can proceed with the instructions from the previous sections ([[#Uploading_an_installer|Uploading an installer]] or [[#Uploading_an_emCORE_binary|Uploading an emCORE binary]]) in order to recover your [[emCORE]] installation. 4158a9c673b8e33edcf607bdd86a5d8469b498cd 3864 3863 2011-04-07T13:53:12Z User890104 124 wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==[[Nano_2G|Nano 2G]]== After installing or updating [[emCORE]], your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from [[SVN|the SVN]], a [http://www.python.org/ Python] interpreter, [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyUSB] and [http://files.freemyipod.org/misc/windows_driver.zip a driver] (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/emcore/trunk/tools/ this folder]. ===Recovery mode=== Sometimes [[emCORE]] may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter [[emCORE]] Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an [[emCORE]] build directly to manually fix the problem, or reinstall [[emCORE]], in case the problem was caused by a failed update. ====Uploading an [[emCORE]] installer==== After that, you need an installer binary. You can get the official version from [[EmCORE_Releases|the releases page]] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python emcoreldr.py run installer-*.ubi</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.ubi to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your [[emCORE]] installation. ====Uploading an [[emCORE]] binary==== You will need a known-working [[emCORE]] build, you can use one that you have built yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), grab the latest from [http://builds.freemyipod.org/ the build server] by selecting the "ubi" link for the device you need ('''not recommended''' because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python emcoreldr.py run emcore-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading emcore-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an [[emCORE]] console on your iPod's screen. It will say somethins similar to this: <pre>emCORE vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the emcore.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an [[emCORE]] Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains [[emCORE]] Loader. You can build one yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, turn your iPod's HOLD switch on and enter the following command: <pre>python ipoddfu.py emcoreldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in [[emCORE]] Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> You can proceed with the instructions from the previous sections ([[#Uploading_an_installer|Uploading an installer]] or [[#Uploading_an_emCORE_binary|Uploading an emCORE binary]]) in order to recover your [[emCORE]] installation. ==[[Classic_1G|Classic 1G]] / [[Classic_2G|Classic 2G]] / [[Classic_3G|Classic 3G]]== (to be continued) 3402296b1259f7255b93bd019d2b187129d28d02 0 353 3868 3841 2011-04-11T09:47:55Z TheSeven 13 wikitext text/x-wiki * Make sure that you have .NET Framework 3.5 or later installed * Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] file as well * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod start to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. * Wait for Windows to ask you for a driver for this device * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 1c4d51db9e0f750f4a19c9b2510f325c41e37d5e 3871 3868 2011-04-12T13:14:59Z Farthen 28 wikitext text/x-wiki * Make sure that you have .NET Framework 3.5 or later installed * Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] file as well * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. * Wait for Windows to ask you for a driver for this device * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] e1c25ac358b72ff48c8fcba2d4a260ac8d361bbb 3872 3871 2011-04-12T13:16:04Z Farthen 28 wikitext text/x-wiki * Make sure that you have .NET Framework 3.5 or later installed * Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] file as well * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. * Wait for Windows to ask you for a driver for this device * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] fae78fe2b5c4407d6a2f1957be95d25c6af15ca2 0 323 3869 3833 2011-04-12T08:00:56Z User890104 124 wikitext text/x-wiki ==emCORE kernel== emCORE is a lightweight alternative operating system for iPods (and possibly other devices one day). ===Features=== * Preemptive multitasking * Can run multiple independent apps at the same time * Shared library support * USB debugging API * FAT32 file system access * LCD text console and graphics API * Can run other kernels (such as Rockbox) through a kexec-like interface * ~75KB executable size, ~110KB RAM usage (plus LCD frame buffer) ==emCORE boot menu== When emCORE is installed, the emCORE boot menu is installed as the default autostart app. Depending on the device it offers various boot options. ==Installation instructions== There's an installation wizard available on [[EmCORE Installation|this page]]. ==Uninstallation instructions== There's an uninstallation wizard available on [[EmCORE Uninstallation|this page]]. db37e4f478dac800e20c5f7901ceb8114bff22a7 0 359 3870 2011-04-12T08:09:37Z User890104 124 Uninstall instructions wikitext text/x-wiki If you would like to uninstall [[emCORE]] please follow these instructions: ==iPod Nano 2G== # Power on your iPod # Scroll to '''Tools''' in the Boot menu # Press Select # Scroll to '''Uninstall emCORE''' # Press Select ==iPod Classic== '''Warning: Uninstalling [[emCORE]] will delete ALL data on your iPod Classic!''' # Install iTunes on your computer (if you don't have) # Connect your iPod to your computer # Enter [[Modes#Getting_DFU_mode_on_iPod_Classic.2C_Nano_3G_and_newer|DFU mode]] # Restore using iTunes 5c4f41ba5bc5934c388be27c34dce9f86873aa55 3894 3870 2011-05-01T00:02:00Z TheSeven 13 wikitext text/x-wiki If you would like to uninstall [[emCORE]] please follow these instructions: ==iPod Nano 2G== # Power on your iPod # Scroll to '''Tools''' in the Boot menu # Press Select # Scroll to '''Uninstall emCORE''' # Press Select ==iPod Classic== '''Warning: Uninstalling [[emCORE]] will delete ALL data on your iPod Classic!''' # Install iTunes on your computer (if you don't have) # Connect your iPod to your computer # Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. # Restore using iTunes 36ee1de6583571b147ff8a0baa3be0b6fb5ccdd1 3904 3894 2011-05-15T09:37:18Z User890104 124 wikitext text/x-wiki If you would like to uninstall [[emCORE]] please follow these instructions: ==iPod Nano 2G== '''If you removed the firmware partition during the installation, you need to restore with iTunes first, so ALL data on your iPod Nano 2G will be deleted!''' # Power on your iPod # Scroll to '''Tools''' in the Boot menu # Press Select # Scroll to '''Uninstall emCORE''' # Press Select ==iPod Classic== '''Warning: Uninstalling [[emCORE]] will delete ALL data on your iPod Classic!''' # Install iTunes on your computer (if you don't have) # Connect your iPod to your computer # Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely). The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. # Restore using iTunes 0be78a2e1cae7af8a68177ea449c85100ee2b16a 0 50 3873 3788 2011-04-15T08:39:34Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] '''emCORE installation instructions:''' [[emCORE Installation]] ==Updates== *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emCORE]] ** [[emCORE Monitor Protocol]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 1159c19d39f6ebc9458e5dc52ac36b23b49dce5f 3880 3873 2011-04-25T02:56:10Z TheSeven 13 wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] '''emCORE installation instructions:''' [[emCORE Installation]] ==Updates== * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emCORE]] ** [[emCORE Monitor Protocol]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 678d9c17e9ee7eeae77ceea05737af26d3d86c83 0 352 3877 3856 2011-04-22T10:22:23Z TheSeven 13 wikitext text/x-wiki * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic_itunes.exe this] file * Connect your iPod to your computer * Make sure iTunes is closed * Kill "AppleMobileDeviceHelper.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Run bootstrap_ipodclassic_itunes.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 1c07ed82d2cd73ae165dc465ca6d55fd43167ff0 0 346 3878 3867 2011-04-24T20:21:08Z TheSeven 13 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a cinbination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a cinbination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 027024a1597a9226d9e171eaec08c0fcf8363bf7 3879 3878 2011-04-24T20:21:35Z TheSeven 13 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a cinbination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a cinbination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> a32cd0a1a9adc7cf8280d04ab8e901ac644ffba0 3899 3879 2011-05-08T16:03:03Z TheSeven 13 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a cinbination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a cinbination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> be369d874314ff35f1398c50a31f12bd7baff0f2 3900 3899 2011-05-09T14:52:24Z Wolftail 138 /* Release notes / Known issues */ fixed a typo wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a cinbination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 968613c9a0b9b76e32edbb6837b354f361bb4a07 3902 3900 2011-05-12T05:52:28Z TheSeven 13 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> e2cb242908daeea676de68bbc331d72adf313c6a 3903 3902 2011-05-15T06:59:21Z Jones1 312 the link had the wrong date directory wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 960fc50702d96899ac26179f9269921b2d6cad8c 3913 3903 2011-05-24T10:28:49Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use fastboot, always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 67da60c7c2069cfad20dc622277e169b143bec26 0 268 3881 3084 2011-04-25T10:52:12Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- |} c0f74fbca495d2772a20b8a4ccc82ebe920f82d6 3882 3881 2011-04-25T11:14:41Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> || Nano4G EFI || Cpu:400A06EC |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI || Cpu:400A06F4 |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- |} 1ee8bf246daf10123f2628554766c884b1646611 3883 3882 2011-04-25T12:16:12Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> || Nano4G EFI || Cpu:400A06EC |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI || Cpu:400A06F4 |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> || Nano4G EFI || |- |} e6ffe6d63a45f07c9c6d2671916ff36e6014aef7 3884 3883 2011-04-25T12:18:22Z Benedikt93 145 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID])|| Nano4G EFI || Cpu:400A06EC |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI || Cpu:400A06F4 |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> || Nano4G EFI || |- |} cbb4acd952ef48c00110772263b573474774c26b 3885 3884 2011-04-25T13:02:03Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID])|| Nano4G EFI || Cpu:400A06EC |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI || Cpu:400A06F4 |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- |} 36753df65772577309d44d228131ce3bf4b37743 3886 3885 2011-04-25T15:46:21Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID])|| Nano4G EFI || Cpu:400A06EC |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI || Cpu:400A06F4 |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- |} 78fa0198c77fbb728f116192c76ac63271b592dd 3887 3886 2011-04-25T17:41:14Z Benedikt93 145 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> || Nano4G EFI, Nano3G EFI || Cpu:400A06EC (Nano4G) ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI, Nano3G EFI || Cpu:400A06F4 (Nano4G) (on Nano3G: some EFI_CPU_ARCH_PROTOCOL with two additional functions) |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- |} 2bdde13b9632143ec8d6c645fe3837e453101dd8 3888 3887 2011-04-25T17:55:24Z Benedikt93 145 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> || Nano4G EFI, Nano3G EFI || Cpu:400A06EC (Nano4G) ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI, Nano3G EFI || Cpu:400A06F4 (Nano4G) (on Nano3G: some EFI_CPU_ARCH_PROTOCOL with two additional functions) |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> || Nano4G EFI, Nano3G EFI || ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- |} 0632791e7f77f717cf52dad9271886f14abc1c1b 3889 3888 2011-04-27T21:46:38Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> || Nano4G EFI, Nano3G EFI || Cpu:400A06EC (Nano4G) ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI, Nano3G EFI || Cpu:400A06F4 (Nano4G) (on Nano3G: some EFI_CPU_ARCH_PROTOCOL with two additional functions) |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> || Nano4G EFI, Nano3G EFI || ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- |} 9c2a580236ea47d41fdad43657c3bc8c90fd97af 3891 3889 2011-04-28T12:42:00Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI, Nano3G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI, Nano3G EFI || Cpu:400A06F4 (Nano4G) (on Nano3G: some EFI_CPU_ARCH_PROTOCOL with two additional functions) |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI, Nano3G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice, Nano 4G) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- |} c5e7d8475d5f4386a5e653d376ee6073bc4dc8e1 3893 3891 2011-04-29T16:21:19Z Benedikt93 145 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- |rowspan="2"| <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> | Nano4G EFI || DxeD1759:40081234 |- | Nano3G EFI || DxeD1671:40030FAC, table entries: * +0 pmu_read(void *this, char reg, unsigned int size, void *data) * +4 pmu_write(void *this, char reg, unsigned int size, void *data) |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI, Nano3G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI, Nano3G EFI || Cpu:400A06F4 (Nano4G) (on Nano3G: some EFI_CPU_ARCH_PROTOCOL with two additional functions) |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI, Nano3G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice, Nano 4G) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- |} bc29a704630a102e8d1c646878875745c408aab3 3 363 3890 2011-04-28T02:31:04Z Gabrielbarreto 306 Help wikitext text/x-wiki I cant put my ipod classic in DFU mode, help me please! 645f988cfe2cb455310a6e612e800a5ee348c5fd 0 350 3892 3846 2011-04-29T10:57:36Z TheSeven 13 wikitext text/x-wiki * Make sure that you have python 2.6 or 2.7, libusb and pyusb >=1.0.0a0 installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] or check out our [[SVN]] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for about 12 seconds. It will start to reboot after 5 seconds, but keep holding the buttons until it seems to power off completely. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and connect a 64MB drive called "UMSboot". It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 21610fda0aa5208f61d3e64673f6c7bfde9631f9 3905 3892 2011-05-15T16:06:11Z Jones1 312 wikitext text/x-wiki * Make sure that you have python 2.6 or 2.7, libusb and pyusb >=1.0.0a0 installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] or check out our [[SVN]] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for about 12 seconds. It will start to reboot after 5 seconds, but keep holding the buttons until it seems to power off completely. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and connect a 64MB drive called "UMSboot". If you issue a 'sudo fdisk -l' command you will see theIt's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 581aa3c32a7a1fb82a3698dd78ac0285b7762a8d 3906 3905 2011-05-15T17:52:14Z Jones1 312 clarification on instructions wikitext text/x-wiki * Make sure that you have python 2.6 or 2.7, libusb and pyusb >=1.0.0a0 installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] or check out our [[SVN]] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for about 12 seconds. It will start to reboot after 5 seconds, but keep holding the buttons until it seems to power off completely. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 75791049d74ee295ee844021aa55277ad4324a57 0 52 3895 3857 2011-05-01T13:03:13Z Farthen 28 wikitext text/x-wiki iPods have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in different locations (depends on the iPod model). Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to [http://support.apple.com/kb/ht1363 this Apple support document]. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. There's a NOR DFU mode though, that can be entered by holding down BACK+PLAY right after rebooting the device. ===Getting DFU mode on iPod Classic, Nano 3G and newer === # Make sure your iPod is turned on and connected to your computer. # Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely) # The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the Vendor ID (Apple), and the number after the colon is the Product ID. The Product ID depends on whether the iPod is in DFU mode or not. Here is a table of Product IDs: {| class="wikitable" ! Device !! Normal !! DFU !! WTF |- | Nano 2G | 1260 | 1220 | 1240 |- | Nano 3G | 1262 | 1223/1224 | 1242 |- | Nano 4G | 1263 | 1225 | 1243 |- | Nano 5G | 1265 | 1231 | 1246 |- | Nano 6G | 1266 | 1232 | 1248 |- | Classic 1G | 1261 | 1223 | 1241 |- | Classic 2G | 1261 | 1223 | 1245 |- | Classic 3G | 1261 | 1223 | 1247 |} Sources: http://www.linux-usb.org/usb.ids http://www.trejan.com/projects/ipod/phobos.html#DFURECOVERY ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf b211b1480a900449784c7fa111639cc0f3bd1729 3896 3895 2011-05-01T13:04:54Z Farthen 28 wikitext text/x-wiki iPods have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in different locations (depends on the iPod model). Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode, refer to [http://support.apple.com/kb/ht1363 this Apple support document]. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. There's a NOR DFU mode though, that can be entered by holding down BACK+PLAY right after rebooting the device. ===Getting DFU mode on iPod Classic, Nano 3G and newer === # Make sure your iPod is turned on and connected to your computer. # Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely) # The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the Vendor ID (Apple), and the number after the colon is the Product ID. The Product ID depends on whether the iPod is in DFU mode or not. Here is a table of Product IDs: {| class="wikitable" ! Device !! Normal !! DFU !! WTF |- | Nano 2G | 1260 | 1220 | 1240 |- | Nano 3G | 1262 | 1223/1224 | 1242 |- | Nano 4G | 1263 | 1225 | 1243 |- | Nano 5G | 1265 | 1231 | 1246 |- | Nano 6G | 1266 | 1232 | 1248 |- | Classic 1G | 1261 | 1223 | 1241 |- | Classic 2G | 1261 | 1223 | 1245 |- | Classic 3G | 1261 | 1223 | 1247 |} Sources: http://www.linux-usb.org/usb.ids http://www.trejan.com/projects/ipod/phobos.html#DFURECOVERY ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 228ef761ef213adbc934fa9af8c8744244f4520c 1 356 3897 3852 2011-05-02T11:15:13Z VaSh 188 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: 6673e6b9009611d26a678f74c65b6c633c48e943 3898 3897 2011-05-02T13:03:16Z Benedikt93 145 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) 3bb98699a957a9678f7e264349ac231560207fb8 3921 3898 2011-05-25T17:28:53Z VaSh 188 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) When next release is planned to be out? fcd482164358914c35368d8c28b5cad6095e4131 3922 3921 2011-05-25T20:23:00Z User890104 124 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) d37557af9413727e3ab35d73942b64c048595326 0 283 3908 3332 2011-05-22T01:03:59Z Yuriks 164 Added VIC wikitext text/x-wiki {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0xFFFF FFFF - 0x4000 0000</tt> || || |- | <tt>0x3FFF FFFF - 0x3800 0000</tt> || I/O Area || See table below |- | <tt>0x37FF FFFF - 0x2204 0000</tt> || || |- | <tt>0x2203 FFFF - 0x2200 0000</tt> || On-chip SRAM || Always accessible |- | <tt>0x21FF FFFF - 0x2000 C800</tt> || || |- | <tt>0x2000 C7FF - 0x2000 0000</tt> || Boot ROM || Executed by processor at start up |- | <tt>0x1FFF FFFF - 0x0C00 0000</tt> || || |- | <tt>0x0BFF FFFF - 0x0A00 0000</tt> || SDRAM Mirror 2 || Same contents as mirror 1 |- | <tt>0x09FF FFFF - 0x0800 0000</tt> || SDRAM Mirror 1 || Needs initialization |- | <tt>0x07FF FFFF - 0x0000 0000</tt> || || |- |} = IO Map = {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0x3C800000<br />0x3C800004</tt> || WDTCON<br />WDTCNT || Watchdog timer<ref name="datasheet" /> |- | <tt>0x38E0_0000 - 0x38E0_1000<br />0x38E0_1000 - 0x38E0_2000</tt> || VIC0 Base<br />VIC1 Base || Vectored Interrupt Controller<ref name="vic_ds" /> |- |} <references> <ref name="datasheet">See [[S5L8700 datasheet]]</ref> <ref name="vic_ds">ARM PrimeCell Vectored Interrupt Controller (PL192) - [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0273a/DDI0273.pdf Datasheet] </references> 6b5cd02b742739c112b98788b9ecfb0ae6f881ae 3909 3908 2011-05-22T01:05:25Z Yuriks 164 Added _ spacers wikitext text/x-wiki {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0xFFFF_FFFF - 0x4000_0000</tt> || || |- | <tt>0x3FFF_FFFF - 0x3800_0000</tt> || I/O Area || See table below |- | <tt>0x37FF_FFFF - 0x2204_0000</tt> || || |- | <tt>0x2203_FFFF - 0x2200_0000</tt> || On-chip SRAM || Always accessible |- | <tt>0x21FF_FFFF - 0x2000_C800</tt> || || |- | <tt>0x2000_C7FF - 0x2000_0000</tt> || Boot ROM || Executed by processor at start up |- | <tt>0x1FFF_FFFF - 0x0C00_0000</tt> || || |- | <tt>0x0BFF_FFFF - 0x0A00_0000</tt> || SDRAM Mirror 2 || Same contents as mirror 1 |- | <tt>0x09FF_FFFF - 0x0800_0000</tt> || SDRAM Mirror 1 || Needs initialization |- | <tt>0x07FF_FFFF - 0x0000_0000</tt> || || |- |} = IO Map = {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0x3C80_0000<br />0x3C80_0004</tt> || WDTCON<br />WDTCNT || Watchdog timer<ref name="datasheet" /> |- | <tt>0x38E0_0000 - 0x38E0_1000<br />0x38E0_1000 - 0x38E0_2000</tt> || VIC0 Base<br />VIC1 Base || Vectored Interrupt Controller<ref name="vic_ds" /> |- |} <references> <ref name="datasheet">See [[S5L8700 datasheet]]</ref> <ref name="vic_ds">ARM PrimeCell Vectored Interrupt Controller (PL192) - [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0273a/DDI0273.pdf Datasheet] </references> 55b5dd00e8b78dd74b17acaae4a64dd71c27ca11 3910 3909 2011-05-22T01:09:58Z Yuriks 164 Switched to open interval end addresses wikitext text/x-wiki {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0x100000000 - 0x4000_0000</tt> || || |- | <tt>0x4000_0000 - 0x3800_0000</tt> || I/O Area || See table below |- | <tt>0x3800_0000 - 0x2204_0000</tt> || || |- | <tt>0x2204_0000 - 0x2200_0000</tt> || On-chip SRAM || Always accessible |- | <tt>0x2200_0000 - 0x2000_C800</tt> || || |- | <tt>0x2000_C800 - 0x2000_0000</tt> || Boot ROM || Executed by processor at start up |- | <tt>0x2000_0000 - 0x0C00_0000</tt> || || |- | <tt>0x0C00_0000 - 0x0A00_0000</tt> || SDRAM Mirror 2 || Same contents as mirror 1 |- | <tt>0x0A00_0000 - 0x0800_0000</tt> || SDRAM Mirror 1 || Needs initialization |- | <tt>0x0800_0000 - 0x0000_0000</tt> || || |- |} = IO Map = {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0x3C80_0000<br />0x3C80_0004</tt> || WDTCON<br />WDTCNT || Watchdog timer<ref name="datasheet" /> |- | <tt>0x38E0_0000 - 0x38E0_1000<br />0x38E0_1000 - 0x38E0_2000</tt> || VIC0 Base<br />VIC1 Base || Vectored Interrupt Controller<ref name="vic_ds" /> |- |} <references> <ref name="datasheet">See [[S5L8700 datasheet]]</ref> <ref name="vic_ds">ARM PrimeCell Vectored Interrupt Controller (PL192) - [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0273a/DDI0273.pdf Datasheet] </references> fe7f530ca11beff54dd29bac14e44263b41b8fe8 3911 3910 2011-05-22T01:10:37Z Yuriks 164 wikitext text/x-wiki {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0x100000000 - 0x4000_0000</tt> || || |- | <tt>0x4000_0000 - 0x3800_0000</tt> || I/O Area || See table below |- | <tt>0x3800_0000 - 0x2204_0000</tt> || || |- | <tt>0x2204_0000 - 0x2200_0000</tt> || On-chip SRAM || Always accessible |- | <tt>0x2200_0000 - 0x2000_C800</tt> || || |- | <tt>0x2000_C800 - 0x2000_0000</tt> || Boot ROM || Executed by processor at start up |- | <tt>0x2000_0000 - 0x0C00_0000</tt> || || |- | <tt>0x0C00_0000 - 0x0A00_0000</tt> || SDRAM Mirror 2 || Same contents as mirror 1 |- | <tt>0x0A00_0000 - 0x0800_0000</tt> || SDRAM Mirror 1 || Needs initialization |- | <tt>0x0800_0000 - 0x0000_0000</tt> || || |- |} = IO Map = {| class="wikitable" |- ! Address !! Description !! Notes |- | <tt>0x3C80_0000<br />0x3C80_0004</tt> || WDTCON<br />WDTCNT || Watchdog timer<ref name="datasheet" /> |- | <tt>0x38E0_1000 - 0x38E0_0000<br />0x38E0_2000 - 0x38E0_1000</tt> || VIC0 Base<br />VIC1 Base || Vectored Interrupt Controller<ref name="vic_ds" /> |- |} <references> <ref name="datasheet">See [[S5L8700 datasheet]]</ref> <ref name="vic_ds">ARM PrimeCell Vectored Interrupt Controller (PL192) - [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0273a/DDI0273.pdf Datasheet] </references> 57e473e1cb74cbbe7b722e19bcd9ec076a25e386 0 342 3912 3817 2011-05-24T10:15:39Z User890104 124 wikitext text/x-wiki Your device is fully supported by [[emCORE]], but there are some bugs left, so it's not yet recommended for end users. If you would like to dualboot [http://www.rockbox.org/ Rockbox] and Apple's firmware, it would be safer to use Rockbox's bootloader or [http://theseven.freemyipod.org/iloader/ iLoader]. If you would like to test-drive [[emCORE]] on your iPod Nano 2G, you can follow the [http://theseven.freemyipod.org/iloader/installation.php iLoader install instructions], but substituting iLoader's .ipodx file with '''installer-ipodnano2g.ipodx''' from [[EmCORE_Releases|the Releases page]]. 7eac178592d19bdc767f58c6c53d53afe8399bbc 0 116 3914 3836 2011-05-24T10:31:01Z User890104 124 wikitext text/x-wiki outdated {{outdated|reason=Starting August 3, 2010, development of iBugger has stopped in favor of a more useful debugger in [[emCORE]].}} [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://theseven.freemyipod.org/download/snapshot-201003100612-public.7z here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger Loader releases for the 2G and 4G Nanos. 8f845dafc32518f27a0bbd4343e71a5ebbf33df2 3920 3914 2011-05-24T20:55:38Z Farthen 28 wikitext text/x-wiki {{outdated|reason=Starting August 3, 2010, development of iBugger has stopped in favor of a more useful debugger in [[emCORE]].}} [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://theseven.freemyipod.org/download/snapshot-201003100612-public.7z here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger Loader releases for the 2G and 4G Nanos. 72126bf120735f928176852ba387f7b62da45cb4 0 276 3915 3356 2011-05-24T15:48:29Z User890104 124 wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | Audio codec | Cirrus Logic CLI1544C0 | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | PMU | Dialog D1830B | Apple 338S0783-B1 10298HLS | |- | <span style="color:#e8e838">Yellow</span> | FM receiver | Silicon Labs Si4800 | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | CPU | Samsung S5L8723 | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | Samsung APL3278A01 ARM Application processor Samsung K4X51323PI Mobile DDR SDRAM (64 MB) Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source] |- | <span style="color:#cf5eea">Pink</span> | Touchscreen controller | Cypress CY8C20746B | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.<br /> The red and black wires lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 Reviews: *http://arstechnica.com/apple/reviews/2010/09/6th-generation-ipod-nano.ars 142c124d40ca6016dafc9a8ae89ca24ab31ba2f1 3916 3915 2011-05-24T15:50:33Z User890104 124 wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | Audio codec | Cirrus Logic CLI1544C0 | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | PMU | Dialog D1830B | Apple 338S0783-B1 10298HLS | |- | <span style="color:#e8e838">Yellow</span> | FM receiver | Silicon Labs Si4800 | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | CPU | Samsung S5L8723 | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | Samsung APL3278A01 ARM Application processor Samsung K4X51323PI Mobile DDR SDRAM (64 MB) Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source] |- | <span style="color:#cf5eea">Pink</span> | Touchscreen controller | Cypress CY8C20746B | 35758907 1025 A 04 629749 | |} ==Notes== The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.<br /> The red and black wires lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 Reviews: *http://arstechnica.com/apple/reviews/2010/09/6th-generation-ipod-nano.ars *http://www.ubmtechinsights.com/reports-and-subscriptions/investigative-analysis/apple-ipod-nano/ 9c6ff5f73b83aa63f38a9fbc695074de2e31fd38 0 341 3917 3816 2011-05-24T16:59:12Z User890104 124 wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Your device is vaguely similar to other devices that [[emCORE]] supports, and [[emCORE]] can already be booted on it from a RAMDISK, but a significant amount of work remains before it can be permanently installed and access the device's flash memory. Until this work is done, the [[emCORE]] port to this device isn't of much use. ==Running [[emCORE]] from the RAM== As of now the only way to execute code on the [[Nano_4G|Nano 4G]] is through the [[Notes_vulnerability|Notes vulnerability]] and with [[Pwnage 2.0]]. As we don't know yet how to initialize the SDRAM on the [[Nano_4G|Nano 4G]] the only useful method is by using the [[Notes_vulnerability|Notes vulnerability]]. The only working note at the moment is an [[IBugger#iBugger_Loader|iBugger loader]]. '''Attention''': The [[Notes_vulnerability|Notes vulnerability]] was patched in the v1.0.4 firmware update of the [[Nano_4G|Nano 4G]]. You need to [[Firmware_downgrading | downgrade to v1.0.3]] to still use the Notes vulnerability. To run [[IBugger#iBugger_Loader|iBugger loader]] download the [http://files.freemyipod.org/targets/iPod%20nano%204g/n4g_ibugger_libusb1.zip Nano 4G iBugger package]. To use the scripts in there you need a working [[Toolchain#Python_Scripts|Python Toolchain]] Simply put the "n4g-ibugger.bootnote" in the "Notes" directory of your [[Nano_4G|Nano 4G]] and safely remove it. A Mandelbrot set should be displayed on the screen with some text stating it is Unified [[IBugger#iBugger_Loader|iBugger loader]] v0.1.1 running on [[Nano_4G|Nano 4G]]. You can get a recent emCORE build for your device from [http://builds.freemyipod.org/ the builds page]. To run [[emCORE]], enter these commands: python ibugger.py upload 08000000 emcore-ipodnano4g-rXYZ.bin python ibugger.py execute 08000000 0a000000 You can then use the [[emCORE]] tools to communicate with [[emCORE]] ebc3507ed51a01a87647c8d5a0ec27766e5fa27e 0 243 3918 3548 2011-05-24T16:59:40Z User890104 124 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 97ceb2bfdfa1d2ccc1f6a38407bb0edf6044909b 0 54 3919 3350 2011-05-24T17:00:34Z User890104 124 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G|"Nano" 6G]] |S5L8723 |? |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X51163PE] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx Additional information *http://dendrites.blog.163.com/blog/static/165376178201082112922174/ 7a4106d48aeb9337841c3c4bb0d6f281a3195b97 0 366 3923 2011-05-25T21:14:34Z User890104 124 Created page with "Fastboot is an [[emCORE]] application, that runs [http://www.rockbox.org/ Rockbox] as soon as the device is powered on. It is preferred by many users, and it is not so hard to in..." wikitext text/x-wiki Fastboot is an [[emCORE]] application, that runs [http://www.rockbox.org/ Rockbox] as soon as the device is powered on. It is preferred by many users, and it is not so hard to install. '''Nano 2G users''': If you mainly use Apple's firmware and would like to "fastboot" into it, please ask on IRC for a modified fastboot build that boots OF<ref name="OF">'''OF''' stands for '''Original firmware'''</ref> instead. ==Usage== *To boot [http://www.rockbox.org/ Rockbox] with fastboot installed, just power your iPod on. *To launch the boot menu instead, '''hold''' any key while your iPod is turning on until you see the menu. ==Installation== '''WARNING: Always use the same version of [[emCORE]] and fastboot! Mixing up versions may lead to a condition where your iPod won't boot, and would require recovering with an additional set of tools!''' Installing fastboot is actually done by copying '''fastboot.emcoreapp''' under the name '''init.emcoreapp''' to a folder named '''.boot''' in the root folder of your iPod's flash memory/hard drive. Here are some instructions how to do that on different OSes<ref name="OS">'''OS''' stands for '''Operating system'''</ref>. ===Windows=== ''It is not possible to create such folder using Windows's GUI<ref name="GUI">'''GUI''' stands for '''Graphical user inferface'''</ref>.'' # Connect your iPod in OF<ref name="OF" />, [http://www.rockbox.org/ Rockbox] or Disk mode so it appears in My computer as a storage device. Note the drive letter (for example, '''F:'''). # Open '''Command prompt''' (Start -> Programs -> Accessories -> Command prompt). # Enter the drive letter from step 1 with the colon at the end and press Enter. # Enter the following commands: cd / mkdir .boot Next, download the fastboot application that matches your emCORE version to the newly created '''.boot''' folder in your iPod. Don't forget to rename it to '''init.emcoreapp''' or it won't be loaded at all. ===Linux=== ''Since files starting with dot are hidden on Linux by default, you need to either show them (in your favourite file manager's options) or use the command line.'' An example to copy the file using the command line would be: mkdir -p /media/'''<your iPod's name>'''/.boot cp ~/Downloads/fastboot.emcoreapp /media/'''<your iPod's name>'''/.boot/init.emcoreapp ===Mac OS X=== ''Files starting with dot are hidden by default, so you need to either use the '''Terminal''' application, or change a system preference in order to show them'' An example to copy the file using the '''Terminal''' would be: mkdir -p /Volumes/'''<your iPod's name>'''/.boot cp ~/Downloads/fastboot.emcoreapp /Volumes/'''<your iPod's name>'''/.boot/init.emcoreapp ==References== <references /> 6bf5933e84ee6b1c03b4140275d64dec13aa70e5 0 346 3924 3913 2011-05-25T21:16:13Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 212cfcac73b7bbe5004483bfc1034c2221ea51f1 3951 3924 2011-07-11T12:00:32Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 4347d39db5e985c5ea34c49691cae9555259934e 0 323 3926 3869 2011-05-26T10:00:00Z User890104 124 wikitext text/x-wiki ==emCORE kernel== emCORE is a lightweight alternative operating system for iPods (and possibly other devices one day). ===Features=== * Preemptive multitasking * Can run multiple independent apps at the same time * Shared library support * USB debugging API * FAT32 file system access * LCD text console and graphics API * Can run other kernels (such as [http://www.rockbox.org/ Rockbox]) through a kexec-like interface * ~75KB executable size, ~110KB RAM usage (plus LCD frame buffer) ==emCORE boot menu== When emCORE is installed, the emCORE boot menu is installed as the default autostart app. Depending on the device it offers various boot options. ==emCORE fastboot== You can use [[Fastboot|fastboot]] in order to launch [http://www.rockbox.org/ Rockbox] even more quickly when the iPod starts. ==Installation instructions== There's an installation wizard available on [[EmCORE Installation|this page]]. ==Uninstallation instructions== There's an uninstallation wizard available on [[EmCORE Uninstallation|this page]]. 1782f212ebb9804842a6bc9f147953126473bf09 0 54 3927 3919 2011-05-26T12:43:00Z User890104 124 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |? |? |? |- |[[Nano 6G|"Nano" 6G]] |S5L8723 |Integrated |64MB |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X51163PE] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx Additional information *http://dendrites.blog.163.com/blog/static/165376178201082112922174/ 25f206f378e19a74d499ad29feae1c7aa29d8c9f 1 356 3928 3922 2011-05-27T17:11:50Z VaSh 188 /* Sound Quality Improvements */ new section wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl a75e1acc100bfaf94591db6170e4de882f1c59cc 3929 3928 2011-05-27T17:12:47Z VaSh 188 /* Next release */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: Hoping sound quality bug will be fixed as well (: Vasyl. == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl 7e8d30d3818e624a0a7fb8ad47a3daaba8531818 3930 3929 2011-05-27T17:13:52Z VaSh 188 /* Next release */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like it'll planned to be out in week or two. Hoping sound quality bug will be fixed as well (: Vasyl. == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl 315f0ee40c9e12d14f3146d4e63c266ef77ae53d 3931 3930 2011-05-27T17:14:21Z VaSh 188 /* Next release */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two. Hoping sound quality bug will be fixed a bit as well (: Vasyl. == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl bdc0457684b34f17375e9c479d31d2565641487b 3932 3931 2011-05-27T17:15:08Z VaSh 188 /* Next release */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well At least a bit. Tnx. Vasyl. == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl ae493b04c6a98c0bc2ea56921f9cf17d54a9aafd 3933 3932 2011-05-27T17:15:40Z VaSh 188 /* Next release */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl 7f62100335305edef894226560a9c0986837369d 3938 3933 2011-07-02T12:20:33Z VaSh 188 /* Next release */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl 9d20f150fd367ca830a0e105383e65a26d5c4422 3939 3938 2011-07-02T12:23:01Z VaSh 188 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? 8f9bc2363075deab8ae5f5acd1464c40ca82adf0 3940 3939 2011-07-02T14:12:43Z Matthew 317 /* Last Rockbox Build */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. 8413c019896776aa5e3f626c906bc3038d87b386 3941 3940 2011-07-03T05:12:43Z VaSh 188 /* Last Rockbox Build */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update 0be7dd52dce73ad35b13d5645c2bb7dcf6faec0e 3959 3941 2011-07-27T18:01:05Z Jkbuha 293 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl Hi Vasyl Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. Hope this helps! Cheers jkbuha == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update 858ab61e7515add50d71fbf407f06ba6535461f2 3960 3959 2011-07-27T18:02:21Z Jkbuha 293 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl ============================================== Hi Vasyl Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. Hope this helps! Cheers jkbuha == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update f9e0d6c37f4929b1ff62aaf236d1cd9f79e812d5 3961 3960 2011-07-27T18:03:26Z Jkbuha 293 Sound Update wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl Sound Update Hi Vasyl Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. Hope this helps! Cheers jkbuha == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update 85e76d4c350e602a190a3d6664091786768309ba 3962 3961 2011-07-30T07:50:20Z VaSh 188 /* Sound Quality Improvements */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update 793c2c586f1eb71fa5662057a8be876377f0ddf7 3963 3962 2011-07-30T07:50:57Z VaSh 188 /* Sound Quality Improvements */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update 56cc889726a5695b1785f89cf96667728201d5d5 3964 3963 2011-07-30T07:51:18Z VaSh 188 /* Sound Quality Improvements */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update 128328c0a46d55269173cd3f8ab60f74a092b28a 3965 3964 2011-07-30T07:51:35Z VaSh 188 /* Sound Quality Improvements */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update 56cc889726a5695b1785f89cf96667728201d5d5 3966 3965 2011-07-30T09:29:24Z VaSh 188 /* Sound Quality Improvements */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update 13459e2638ae6bfa52c8474a7cf424e31235d86c 3967 3966 2011-07-30T13:00:04Z Jkbuha 293 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl ::: Hi Vasyl - try the thrum or throb settings with any decent headgear and you'll see the difference. You may have to modify the freq response a bit to match the dynamic response of your own headphones, but it's way better than the default settings. With regards to r755, you need to build, modify and compile the code yourself off the svn, and you'd most likely need to have some flavour of linux installed as your primary (or virtual) os. If you're not familiar with basic code development it would probably be best to wait until /7 or someone else releases a more updated EmCORE version, ideally with some better lcd and ide handling (my drive groans awfully when seeking long tracks, unlike apple's firmware). But r755 (and r708) are way better than the original apple software! ::: Cheers jkbuha == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update 072940f47a0002458378a48f4aa185952fc93b72 3968 3967 2011-08-09T17:38:28Z Ufos 327 /* Last Rockbox Build */ Question wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl ::: Hi Vasyl - try the thrum or throb settings with any decent headgear and you'll see the difference. You may have to modify the freq response a bit to match the dynamic response of your own headphones, but it's way better than the default settings. With regards to r755, you need to build, modify and compile the code yourself off the svn, and you'd most likely need to have some flavour of linux installed as your primary (or virtual) os. If you're not familiar with basic code development it would probably be best to wait until /7 or someone else releases a more updated EmCORE version, ideally with some better lcd and ide handling (my drive groans awfully when seeking long tracks, unlike apple's firmware). But r755 (and r708) are way better than the original apple software! ::: Cheers jkbuha == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update ::: So, could you recommend to use last build from http://download.rockbox.org/daily/ipodclassic/ ? 575d8b2650c765bf1cdda0a069ef8abbd4660c04 3977 3968 2011-08-18T18:42:07Z VaSh 188 /* Sound Quality Improvements */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl ::: Hi Vasyl - try the thrum or throb settings with any decent headgear and you'll see the difference. You may have to modify the freq response a bit to match the dynamic response of your own headphones, but it's way better than the default settings. With regards to r755, you need to build, modify and compile the code yourself off the svn, and you'd most likely need to have some flavour of linux installed as your primary (or virtual) os. If you're not familiar with basic code development it would probably be best to wait until /7 or someone else releases a more updated EmCORE version, ideally with some better lcd and ide handling (my drive groans awfully when seeking long tracks, unlike apple's firmware). But r755 (and r708) are way better than the original apple software! ::: Cheers jkbuha :::: Hi Jkbuha. Tnx for your reply. I'm famular a bit with open-source os like linux/unix and with basic code dev since working on IT-field. Will try to give it a push once get some time. Tnx again! :::: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update ::: So, could you recommend to use last build from http://download.rockbox.org/daily/ipodclassic/ ? 495b9702c6926b8e167071eccdbcdb4a925e81b1 3978 3977 2011-08-18T18:44:05Z VaSh 188 /* Sound Quality Improvements */ wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. Guys! Any update on this (: Please... == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl ::: Hi Vasyl - try the thrum or throb settings with any decent headgear and you'll see the difference. You may have to modify the freq response a bit to match the dynamic response of your own headphones, but it's way better than the default settings. With regards to r755, you need to build, modify and compile the code yourself off the svn, and you'd most likely need to have some flavour of linux installed as your primary (or virtual) os. If you're not familiar with basic code development it would probably be best to wait until /7 or someone else releases a more updated EmCORE version, ideally with some better lcd and ide handling (my drive groans awfully when seeking long tracks, unlike apple's firmware). But r755 (and r708) are way better than the original apple software! ::: Cheers jkbuha :::: Hi Jkbuha. Tnx for your reply. I'm famular a bit with open-source os like linux/unix and with basic code dev since working on IT-field. Will try to give it a push once get a chance. Tnx again! :::: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update ::: So, could you recommend to use last build from http://download.rockbox.org/daily/ipodclassic/ ? 1102e4232fe445393c53c7c4a48edd8777f1d574 3979 3978 2011-08-18T19:21:58Z User890104 124 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. ::: There is no plan. Really. The developers decide to spend their own free time to improve the code, and when there are some major changes, or a serious bug is found and fixed, a release comes out. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) Guys! Any update on this (: Please... :There are automated builds of the current source at [http://builds.freemyipod.org/ builds.freemyipod.org] for the impatient, but there aren't so many changes/improvements since the last release, and there are some bugs that aren't fixed yet. So please use the latest release builds, to avoid any issues. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl ::: Hi Vasyl - try the thrum or throb settings with any decent headgear and you'll see the difference. You may have to modify the freq response a bit to match the dynamic response of your own headphones, but it's way better than the default settings. With regards to r755, you need to build, modify and compile the code yourself off the svn, and you'd most likely need to have some flavour of linux installed as your primary (or virtual) os. If you're not familiar with basic code development it would probably be best to wait until /7 or someone else releases a more updated EmCORE version, ideally with some better lcd and ide handling (my drive groans awfully when seeking long tracks, unlike apple's firmware). But r755 (and r708) are way better than the original apple software! ::: Cheers jkbuha :::: Hi Jkbuha. Tnx for your reply. I'm famular a bit with open-source os like linux/unix and with basic code dev since working on IT-field. Will try to give it a push once get a chance. Tnx again! :::: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update ::: So, could you recommend to use last build from http://download.rockbox.org/daily/ipodclassic/ ? :::: Since Rockbox on the classics is still flagged as Unusable, there aren't any stable/release builds for these. Your best bet would be using the current build, which is located at http://build.rockbox.org/data/rockbox-ipodclassic.zip (this url always points at the most recent build). And again, these are completely untested, and you run them on your own risk. Be warned! --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) 3cdfd5b97ca062857bc187a1426a4e1a841b6b66 1 358 3935 3866 2011-06-03T10:29:36Z Taffeylewis 282 /* Unable to restore Apple firmware on iPod Classic 1G */ new section wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) and where the standard software? You can make so that it too was that?[[User:Yar_Chi|Yar_Chi]] 20:30 , 5 April 2011 (UTC) == ATA error: -11 == When i click on rockbox i get this error. Is there anyway to fix this? I just installed EmCORE. : For others this was caused by a too old RockBox, so you might wan't to try upgrading it. --[[User:Benedikt93|Benedikt93]] 08:16, 10 April 2011 (UTC) == Unable to restore Apple firmware on iPod Classic 1G == I need to revert to the Apple firmware but I am unable to enter DFU mode anymore. I tried following the instructions for the Classic here: http://www.freemyipod.org/wiki/EmCORE_Uninstallation But the iPod just endlessly resets if I hold down the Menu and Select buttons. Can a uninstall EmCORE option be put in the tools menu like the Nano 2g version? Thanks. c1d737a3430d217abdbeefd1e8934f2655836719 3936 3935 2011-06-30T11:56:55Z Farthen 28 /* Unable to restore Apple firmware on iPod Classic 1G */ wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) and where the standard software? You can make so that it too was that?[[User:Yar_Chi|Yar_Chi]] 20:30 , 5 April 2011 (UTC) == ATA error: -11 == When i click on rockbox i get this error. Is there anyway to fix this? I just installed EmCORE. : For others this was caused by a too old RockBox, so you might wan't to try upgrading it. --[[User:Benedikt93|Benedikt93]] 08:16, 10 April 2011 (UTC) == Unable to restore Apple firmware on iPod Classic 1G == I need to revert to the Apple firmware but I am unable to enter DFU mode anymore. I tried following the instructions for the Classic here: http://www.freemyipod.org/wiki/EmCORE_Uninstallation But the iPod just endlessly resets if I hold down the Menu and Select buttons. Can a uninstall EmCORE option be put in the tools menu like the Nano 2g version? Thanks. :Did you plug in your iPod to your computer? Are you sure that you've been holding the combo for 10 seconds continuously? Adding an uninstall option in the menu wouldn't help at all BTW: You would have to restore with iTunes anyway which is only possible through DFU mode on the classic. The classic uninstallation is actually an '''improvement''' over the one used for the nano 2g. d5281aaceeeb4cc4ee781de9ac007b45aab583d8 3937 3936 2011-06-30T11:57:09Z Farthen 28 /* Unable to restore Apple firmware on iPod Classic 1G */ wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) and where the standard software? You can make so that it too was that?[[User:Yar_Chi|Yar_Chi]] 20:30 , 5 April 2011 (UTC) == ATA error: -11 == When i click on rockbox i get this error. Is there anyway to fix this? I just installed EmCORE. : For others this was caused by a too old RockBox, so you might wan't to try upgrading it. --[[User:Benedikt93|Benedikt93]] 08:16, 10 April 2011 (UTC) == Unable to restore Apple firmware on iPod Classic 1G == I need to revert to the Apple firmware but I am unable to enter DFU mode anymore. I tried following the instructions for the Classic here: http://www.freemyipod.org/wiki/EmCORE_Uninstallation But the iPod just endlessly resets if I hold down the Menu and Select buttons. Can a uninstall EmCORE option be put in the tools menu like the Nano 2g version? Thanks. :Did you plug in your iPod to your computer? Are you sure that you've been holding the combo for 10 seconds continuously? Adding an uninstall option in the menu wouldn't help at all BTW: You would have to restore with iTunes anyway which is only possible through DFU mode on the classic. The classic uninstallation is actually an '''improvement''' over the one used for the nano 2g. --[[User:Farthen|Farthen]] 11:57, 30 June 2011 (UTC) 7a1784eeda93472d81ff640e050d8c2529c1b33a 0 243 3943 3918 2011-07-06T11:52:04Z Farthen 28 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Reverse Engineering Results== Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 11cba90f609dcedb43a1fb9e20cf7caef229371e 3946 3943 2011-07-09T15:34:58Z Farthen 28 Add status registers wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1176JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Reverse Engineering Results== Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. ==Status registers== We dumped all c0 coprocessor registers: ===c0,c0=== '''Value:''' 0x410FB764 '''Interpretation:''' ARM1176 rev. 4 ===c0,c1=== '''Value:''' 0x1D152152 '''Interpretation:''' DCache/ICache 16KB each, 4 way associative, 32 bytes line size ===c0,c2=== '''Value:''' 0x00000000 '''Interpretation:''' No TCM ===c0,c3=== '''Value:''' 0x00000800 '''Interpretation:''' Unified TLB, 8 lockable entries ===c1,c0=== '''Value:''' 0x00000111 '''Interpretation:''' ARM/Thumb1/Jazelle support, no Thumb2 support ===c1,c1=== '''Value:''' 0x00000011 '''Interpretation:''' Trustzone v1 ===c1,c2=== '''Value:''' 0x00000033 '''Interpretation:''' Supports debug model v6.1, both applications processor and secure ===c1,c3=== '''Value:''' 0x00000000 '''Interpretation:''' No auxiliary features ===c1,c4=== '''Value:''' 0x01130003 '''Interpretation:''' FCSE, Auxiliary Control register, ARMv6 TCM/DMA, no DMA cache coherency, no multicore cache coherency, VMSA v7 ===c1,c5=== '''Value:''' 0x10030302 '''Interpretation:''' Branch target buffer, Harvard architecture, various cache operations supported (see TRM) ===c1,c6=== '''Value:''' 0x01222100 '''Interpretation:''' WFI, Data synchronization barrier, Prefetch flush, Data memory barrier, various TLB/cache operations supported (see TRM), no prefetch cache range operation ===c1,c7=== '''Value:''' 0x00000000 '''Interpretation:''' No hierarchical cache maintenance support ===c2,c0=== '''Value:''' 0x00140011 '''Interpretation:''' Supports BKPT, CDP, CDP2, LDC, LDC2, MCD, MCD2, MRC, MRC2, STC, STC2, MCRR, MCRR2, MRRC, MRRC2, CLZ, SWP and SWPB, doesn't support division, combined compare and branch or bitfield instructions ===c2,c1=== '''Value:''' 0x12002111 '''Interpretation:''' Supports BXJ, BX, BLX, PC loads have BX behavior, supports SXTB, SXTAB, SXTB16, SXTAB16, SXTH, SXTAH, UXTB, UXTAB, UXTB16, UXTAB16, UXTH, UXTAH, SRS, RFE, CPS, LDM(2), LDM(3), STM(2) and SETEND ===c2,c2=== '''Value:''' 0x11231121 '''Interpretation:''' Supports REV, REV16, REVSH, MRS, MSR, UMULL, UMLAL, UMAAL, SMULL, SMLAL, SMLABB, SMLABT, SMLALBB, SMLALBT, SMLALTB, SMLALTT, SMLATB, SMLATT, SMLAWB, SMLAWT, SMULBB, SMULBT, SMULTB, SMULTT, SMULWB, SMULWT, SMLAD, SMLADX, SMLALD, SMLALDX, SMLSD, SMLSDX, SMLSLD, SMLSLDX, SMMLA, SMMLAR, SMMLS, SMMLSR, SMMUL, SMMULR, SMUAD, SMUADX, SMUSD, SMUSDX, MLA, restartable LDM/STM, PLD, LDRD, STRD and Q bit in PSRs ===c2,c3=== '''Value:''' 0x01102131 '''Interpretation:''' Supports true NOP, Thumb MOV(3)/CPU, LDREX, STREX, LDREXB, LDREXH, LDREXD, STREXB, STREXH, STREXD, CLREX, SVC, PKHBT, PKHTB, QADD16, QADD8, QADDSUBX, QSUB16, QSUB8, QSUBADDX, SADD16, SADD8, SADDSUBX, SEL, SHADD16, SHADD8, SHADDSUBX, SHSUB16, SHSUB8, SHSUBADDX, SSAT, SSAT16, SSUB16, SSUB8, SSUBADDX, SXTAB16, SXTB16, UADD16, UADD8, UADDSUBX, UHADD16, UHADD8, UHADDSUBX, UHSUB16, UHSUB8, UHSUBADDX, UQADD16, UQADD8, UQADDSUBX, UQSUB16, UQSUB8, UQSUBADDX, USAD8, USADA8, USAT, USAT16, USUB16, USUB8, USUBADDX, UXTAB16, UXTB16, QADD, QDADD, QDSUB, QSUB, and the Q and GE[3:0] bits in the PSRs. Does nut support branch table and Thumb2 instructions. ===c2,c4=== '''Value:''' 0x00001141 '''Interpretation:''' Supports SMC, writeback instructions, shift of loads and stores by 0-3 bits to the left, constant shift options, register controlled shift options, LDRBT, LDRT, STRBT and STRT. No barrier instructions support. ===c2,c5=== '''Value:''' 0x00000000 '''Interpretation:''' No additional implementation defined instruction set extensions ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) ff0d439941e053fa4a2ced133026e8cbb8a5101a 3953 3946 2011-07-12T15:15:18Z TheSeven 13 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1176JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | [http://www.cirrus.com/en/pubs/proDatasheet/CS42L55_F1.pdf CS42L58] | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Reverse Engineering Results== Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. ==Status registers== We dumped all c0 coprocessor registers: ===c0,c0=== '''Value:''' 0x410FB764 '''Interpretation:''' ARM1176 rev. 4 ===c0,c1=== '''Value:''' 0x1D152152 '''Interpretation:''' DCache/ICache 16KB each, 4 way associative, 32 bytes line size ===c0,c2=== '''Value:''' 0x00000000 '''Interpretation:''' No TCM ===c0,c3=== '''Value:''' 0x00000800 '''Interpretation:''' Unified TLB, 8 lockable entries ===c1,c0=== '''Value:''' 0x00000111 '''Interpretation:''' ARM/Thumb1/Jazelle support, no Thumb2 support ===c1,c1=== '''Value:''' 0x00000011 '''Interpretation:''' Trustzone v1 ===c1,c2=== '''Value:''' 0x00000033 '''Interpretation:''' Supports debug model v6.1, both applications processor and secure ===c1,c3=== '''Value:''' 0x00000000 '''Interpretation:''' No auxiliary features ===c1,c4=== '''Value:''' 0x01130003 '''Interpretation:''' FCSE, Auxiliary Control register, ARMv6 TCM/DMA, no DMA cache coherency, no multicore cache coherency, VMSA v7 ===c1,c5=== '''Value:''' 0x10030302 '''Interpretation:''' Branch target buffer, Harvard architecture, various cache operations supported (see TRM) ===c1,c6=== '''Value:''' 0x01222100 '''Interpretation:''' WFI, Data synchronization barrier, Prefetch flush, Data memory barrier, various TLB/cache operations supported (see TRM), no prefetch cache range operation ===c1,c7=== '''Value:''' 0x00000000 '''Interpretation:''' No hierarchical cache maintenance support ===c2,c0=== '''Value:''' 0x00140011 '''Interpretation:''' Supports BKPT, CDP, CDP2, LDC, LDC2, MCD, MCD2, MRC, MRC2, STC, STC2, MCRR, MCRR2, MRRC, MRRC2, CLZ, SWP and SWPB, doesn't support division, combined compare and branch or bitfield instructions ===c2,c1=== '''Value:''' 0x12002111 '''Interpretation:''' Supports BXJ, BX, BLX, PC loads have BX behavior, supports SXTB, SXTAB, SXTB16, SXTAB16, SXTH, SXTAH, UXTB, UXTAB, UXTB16, UXTAB16, UXTH, UXTAH, SRS, RFE, CPS, LDM(2), LDM(3), STM(2) and SETEND ===c2,c2=== '''Value:''' 0x11231121 '''Interpretation:''' Supports REV, REV16, REVSH, MRS, MSR, UMULL, UMLAL, UMAAL, SMULL, SMLAL, SMLABB, SMLABT, SMLALBB, SMLALBT, SMLALTB, SMLALTT, SMLATB, SMLATT, SMLAWB, SMLAWT, SMULBB, SMULBT, SMULTB, SMULTT, SMULWB, SMULWT, SMLAD, SMLADX, SMLALD, SMLALDX, SMLSD, SMLSDX, SMLSLD, SMLSLDX, SMMLA, SMMLAR, SMMLS, SMMLSR, SMMUL, SMMULR, SMUAD, SMUADX, SMUSD, SMUSDX, MLA, restartable LDM/STM, PLD, LDRD, STRD and Q bit in PSRs ===c2,c3=== '''Value:''' 0x01102131 '''Interpretation:''' Supports true NOP, Thumb MOV(3)/CPU, LDREX, STREX, LDREXB, LDREXH, LDREXD, STREXB, STREXH, STREXD, CLREX, SVC, PKHBT, PKHTB, QADD16, QADD8, QADDSUBX, QSUB16, QSUB8, QSUBADDX, SADD16, SADD8, SADDSUBX, SEL, SHADD16, SHADD8, SHADDSUBX, SHSUB16, SHSUB8, SHSUBADDX, SSAT, SSAT16, SSUB16, SSUB8, SSUBADDX, SXTAB16, SXTB16, UADD16, UADD8, UADDSUBX, UHADD16, UHADD8, UHADDSUBX, UHSUB16, UHSUB8, UHSUBADDX, UQADD16, UQADD8, UQADDSUBX, UQSUB16, UQSUB8, UQSUBADDX, USAD8, USADA8, USAT, USAT16, USUB16, USUB8, USUBADDX, UXTAB16, UXTB16, QADD, QDADD, QDSUB, QSUB, and the Q and GE[3:0] bits in the PSRs. Does nut support branch table and Thumb2 instructions. ===c2,c4=== '''Value:''' 0x00001141 '''Interpretation:''' Supports SMC, writeback instructions, shift of loads and stores by 0-3 bits to the left, constant shift options, register controlled shift options, LDRBT, LDRT, STRBT and STRT. No barrier instructions support. ===c2,c5=== '''Value:''' 0x00000000 '''Interpretation:''' No additional implementation defined instruction set extensions ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 1183dd74f3b9a2083cf2bf3e8237a2e6c9f2273a 3954 3953 2011-07-12T15:17:03Z TheSeven 13 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1176JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/literature/ds/12726.pdf LIS302DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | [http://www.cirrus.com/en/pubs/proDatasheet/CS42L55_F1.pdf CS42L58] | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Reverse Engineering Results== Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. ==Status registers== We dumped all c0 coprocessor registers: ===c0,c0=== '''Value:''' 0x410FB764 '''Interpretation:''' ARM1176 rev. 4 ===c0,c1=== '''Value:''' 0x1D152152 '''Interpretation:''' DCache/ICache 16KB each, 4 way associative, 32 bytes line size ===c0,c2=== '''Value:''' 0x00000000 '''Interpretation:''' No TCM ===c0,c3=== '''Value:''' 0x00000800 '''Interpretation:''' Unified TLB, 8 lockable entries ===c1,c0=== '''Value:''' 0x00000111 '''Interpretation:''' ARM/Thumb1/Jazelle support, no Thumb2 support ===c1,c1=== '''Value:''' 0x00000011 '''Interpretation:''' Trustzone v1 ===c1,c2=== '''Value:''' 0x00000033 '''Interpretation:''' Supports debug model v6.1, both applications processor and secure ===c1,c3=== '''Value:''' 0x00000000 '''Interpretation:''' No auxiliary features ===c1,c4=== '''Value:''' 0x01130003 '''Interpretation:''' FCSE, Auxiliary Control register, ARMv6 TCM/DMA, no DMA cache coherency, no multicore cache coherency, VMSA v7 ===c1,c5=== '''Value:''' 0x10030302 '''Interpretation:''' Branch target buffer, Harvard architecture, various cache operations supported (see TRM) ===c1,c6=== '''Value:''' 0x01222100 '''Interpretation:''' WFI, Data synchronization barrier, Prefetch flush, Data memory barrier, various TLB/cache operations supported (see TRM), no prefetch cache range operation ===c1,c7=== '''Value:''' 0x00000000 '''Interpretation:''' No hierarchical cache maintenance support ===c2,c0=== '''Value:''' 0x00140011 '''Interpretation:''' Supports BKPT, CDP, CDP2, LDC, LDC2, MCD, MCD2, MRC, MRC2, STC, STC2, MCRR, MCRR2, MRRC, MRRC2, CLZ, SWP and SWPB, doesn't support division, combined compare and branch or bitfield instructions ===c2,c1=== '''Value:''' 0x12002111 '''Interpretation:''' Supports BXJ, BX, BLX, PC loads have BX behavior, supports SXTB, SXTAB, SXTB16, SXTAB16, SXTH, SXTAH, UXTB, UXTAB, UXTB16, UXTAB16, UXTH, UXTAH, SRS, RFE, CPS, LDM(2), LDM(3), STM(2) and SETEND ===c2,c2=== '''Value:''' 0x11231121 '''Interpretation:''' Supports REV, REV16, REVSH, MRS, MSR, UMULL, UMLAL, UMAAL, SMULL, SMLAL, SMLABB, SMLABT, SMLALBB, SMLALBT, SMLALTB, SMLALTT, SMLATB, SMLATT, SMLAWB, SMLAWT, SMULBB, SMULBT, SMULTB, SMULTT, SMULWB, SMULWT, SMLAD, SMLADX, SMLALD, SMLALDX, SMLSD, SMLSDX, SMLSLD, SMLSLDX, SMMLA, SMMLAR, SMMLS, SMMLSR, SMMUL, SMMULR, SMUAD, SMUADX, SMUSD, SMUSDX, MLA, restartable LDM/STM, PLD, LDRD, STRD and Q bit in PSRs ===c2,c3=== '''Value:''' 0x01102131 '''Interpretation:''' Supports true NOP, Thumb MOV(3)/CPU, LDREX, STREX, LDREXB, LDREXH, LDREXD, STREXB, STREXH, STREXD, CLREX, SVC, PKHBT, PKHTB, QADD16, QADD8, QADDSUBX, QSUB16, QSUB8, QSUBADDX, SADD16, SADD8, SADDSUBX, SEL, SHADD16, SHADD8, SHADDSUBX, SHSUB16, SHSUB8, SHSUBADDX, SSAT, SSAT16, SSUB16, SSUB8, SSUBADDX, SXTAB16, SXTB16, UADD16, UADD8, UADDSUBX, UHADD16, UHADD8, UHADDSUBX, UHSUB16, UHSUB8, UHSUBADDX, UQADD16, UQADD8, UQADDSUBX, UQSUB16, UQSUB8, UQSUBADDX, USAD8, USADA8, USAT, USAT16, USUB16, USUB8, USUBADDX, UXTAB16, UXTB16, QADD, QDADD, QDSUB, QSUB, and the Q and GE[3:0] bits in the PSRs. Does nut support branch table and Thumb2 instructions. ===c2,c4=== '''Value:''' 0x00001141 '''Interpretation:''' Supports SMC, writeback instructions, shift of loads and stores by 0-3 bits to the left, constant shift options, register controlled shift options, LDRBT, LDRT, STRBT and STRT. No barrier instructions support. ===c2,c5=== '''Value:''' 0x00000000 '''Interpretation:''' No additional implementation defined instruction set extensions ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 1beedbb40658e1670048aafa9190b48a3cf537ca 0 295 3944 3864 2011-07-08T20:30:14Z User890104 124 wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==[[Nano_2G|Nano 2G]]== After installing or updating [[emCORE]], your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from [[SVN|the SVN]], a [http://www.python.org/ Python] interpreter, [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyUSB] and [http://files.freemyipod.org/misc/windows_driver.zip a driver] (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/emcore/trunk/tools/ this folder]. ===Recovery mode=== Sometimes [[emCORE]] may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter [[emCORE]] Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an [[emCORE]] build directly to manually fix the problem, or reinstall [[emCORE]], in case the problem was caused by a failed update. ====Uploading an [[emCORE]] installer==== After that, you need an installer binary. You can get the official version from [[EmCORE_Releases|the releases page]] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python emcoreldr.py run installer-*.ubi</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.ubi to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your [[emCORE]] installation. ====Uploading an [[emCORE]] binary==== You will need a known-working [[emCORE]] build, you can use one that you have built yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), grab the latest from [http://builds.freemyipod.org/ the build server] by selecting the "ubi" link for the device you need ('''not recommended''' because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python emcoreldr.py run emcore-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading emcore-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an [[emCORE]] console on your iPod's screen. It will say somethins similar to this: <pre>emCORE vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the emcore.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an [[emCORE]] Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains [[emCORE]] Loader. You can build one yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, '''<big>turn your iPod's HOLD switch on</big>''' and enter the following command: <pre>python ipoddfu.py emcoreldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in [[emCORE]] Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> You can proceed with the instructions from the previous sections ([[#Uploading_an_installer|Uploading an installer]] or [[#Uploading_an_emCORE_binary|Uploading an emCORE binary]]) in order to recover your [[emCORE]] installation. ==[[Classic_1G|Classic 1G]] / [[Classic_2G|Classic 2G]] / [[Classic_3G|Classic 3G]]== (to be continued) 0a568bcff52fee3388f4ecaba0660369042686c1 3945 3944 2011-07-08T21:37:57Z User890104 124 wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==[[Nano_2G|Nano 2G]]== After installing or updating [[emCORE]], your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from [[SVN|the SVN]], a [http://www.python.org/ Python] interpreter, [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyUSB] and [http://files.freemyipod.org/misc/windows_driver.zip a driver] (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/emcore/trunk/tools/ this folder]. ===Recovery mode=== Sometimes [[emCORE]] may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter [[emCORE]] Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an [[emCORE]] build directly to manually fix the problem, or reinstall [[emCORE]], in case the problem was caused by a failed update. ====Uploading an [[emCORE]] installer==== After that, you need an installer binary. You can get the official version from [[EmCORE_Releases|the releases page]] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python emcoreldr.py run installer-*.ubi</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.ubi to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your [[emCORE]] installation. ====Uploading an [[emCORE]] binary==== You will need a known-working [[emCORE]] build, you can use one that you have built yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), grab the latest from [http://builds.freemyipod.org/ the build server] by selecting the "ubi" link for the device you need ('''not recommended''' because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python emcoreldr.py run emcore-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading emcore-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an [[emCORE]] console on your iPod's screen. It will say somethins similar to this: <pre>emCORE vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the emcore.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an [[emCORE]] Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains [[emCORE]] Loader. You can build one yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), or ask someone on IRC. Then you put it in the same folder as ipoddfu.py, '''<big>turn your iPod's HOLD switch on</big>''' and enter the following command: <pre>python ipoddfu.py emcoreldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in [[emCORE]] Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> Next, you need to upload and run another copy of [[emCORE]] Loader at a different address using the following commands: <pre>python emcoreldr.py upload 0x22000000 emcoreldr-ipodnano2g.bin python emcoreldr.py execute 0x22000000 0x00000000</pre> If everything goes fine, the display will show the same text as before entering these commands.You can proceed with the instructions from the previous sections ([[#Uploading_an_emCORE_installer|Uploading an emCORE installer]] or [[#Uploading_an_emCORE_binary|Uploading an emCORE binary]]) in order to recover your [[emCORE]] installation. ==[[Classic_1G|Classic 1G]] / [[Classic_2G|Classic 2G]] / [[Classic_3G|Classic 3G]]== (to be continued) 93f7b57273422aee5f07b4c9e943d229a3232aa9 3952 3945 2011-07-11T19:38:56Z User890104 124 wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==[[Nano_2G|Nano 2G]]== After installing or updating [[emCORE]], your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from [[SVN|the SVN]], a [http://www.python.org/ Python] interpreter, [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyUSB] and [http://files.freemyipod.org/misc/windows_driver.zip a driver] (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/emcore/trunk/tools/ this folder]. ===Recovery mode=== Sometimes [[emCORE]] may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter [[emCORE]] Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an [[emCORE]] build directly to manually fix the problem, or reinstall [[emCORE]], in case the problem was caused by a failed update. ====Uploading an [[emCORE]] installer==== After that, you need an installer binary. You can get the official version from [[EmCORE_Releases|the releases page]] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python emcoreldr.py run installer-*.ubi</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.ubi to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your [[emCORE]] installation. ====Uploading an [[emCORE]] binary==== You will need a known-working [[emCORE]] build, you can use one that you have built yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), grab the latest from [http://builds.freemyipod.org/ the build server] by selecting the "ubi" link for the device you need ('''not recommended''' because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python emcoreldr.py run emcore-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading emcore-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an [[emCORE]] console on your iPod's screen. It will say somethins similar to this: <pre>emCORE vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the emcore.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an [[emCORE]] Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains [[emCORE]] Loader. You can build one yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), or download it [http://files.freemyipod.org/tmp/emcoreldr-ipodnano2g.dfu here]. Then you put it in the same folder as ipoddfu.py, '''<big>turn your iPod's HOLD switch on</big>''' and enter the following command: <pre>python ipoddfu.py emcoreldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in [[emCORE]] Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> Next, you need to upload and run another copy of [[emCORE]] Loader at a different address. You can build the required file yourself, or download it [http://files.freemyipod.org/tmp/emcoreldr-ipodnano2g.bin here] and then upload it to your device using the following commands: <pre>python emcoreldr.py upload 0x22000000 emcoreldr-ipodnano2g.bin python emcoreldr.py execute 0x22000000 0x00000000</pre> If everything goes fine, the display will show the same text as before entering these commands.You can proceed with the instructions from the previous sections ([[#Uploading_an_emCORE_installer|Uploading an emCORE installer]] or [[#Uploading_an_emCORE_binary|Uploading an emCORE binary]]) in order to recover your [[emCORE]] installation. ==[[Classic_1G|Classic 1G]] / [[Classic_2G|Classic 2G]] / [[Classic_3G|Classic 3G]]== (to be continued) 954b4729b4e2b83c1dad19939d4a5445026a71b2 3974 3952 2011-08-18T11:07:53Z User890104 124 add basic instructions about the classics wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==[[Nano_2G|Nano 2G]]== After installing or updating [[emCORE]], your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from [[SVN|the SVN]], a [http://www.python.org/ Python] interpreter, [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyUSB] and [http://files.freemyipod.org/misc/windows_driver.zip a driver] (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/emcore/trunk/tools/ this folder]. ===Recovery mode=== Sometimes [[emCORE]] may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter [[emCORE]] Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an [[emCORE]] build directly to manually fix the problem, or reinstall [[emCORE]], in case the problem was caused by a failed update. ====Uploading an [[emCORE]] installer==== After that, you need an installer binary. You can get the official version from [[EmCORE_Releases|the releases page]] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python emcoreldr.py run installer-*.ubi</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.ubi to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your [[emCORE]] installation. ====Uploading an [[emCORE]] binary==== You will need a known-working [[emCORE]] build, you can use one that you have built yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), grab the latest from [http://builds.freemyipod.org/ the build server] by selecting the "ubi" link for the device you need ('''not recommended''' because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python emcoreldr.py run emcore-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading emcore-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an [[emCORE]] console on your iPod's screen. It will say somethins similar to this: <pre>emCORE vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the emcore.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an [[emCORE]] Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains [[emCORE]] Loader. You can build one yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), or download it [http://files.freemyipod.org/tmp/emcoreldr-ipodnano2g.dfu here]. Then you put it in the same folder as ipoddfu.py, '''<big>turn your iPod's HOLD switch on</big>''' and enter the following command: <pre>python ipoddfu.py emcoreldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in [[emCORE]] Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> Next, you need to upload and run another copy of [[emCORE]] Loader at a different address. You can build the required file yourself, or download it [http://files.freemyipod.org/tmp/emcoreldr-ipodnano2g.bin here] and then upload it to your device using the following commands: <pre>python emcoreldr.py upload 0x22000000 emcoreldr-ipodnano2g.bin python emcoreldr.py execute 0x22000000 0x00000000</pre> If everything goes fine, the display will show the same text as before entering these commands.You can proceed with the instructions from the previous sections ([[#Uploading_an_emCORE_installer|Uploading an emCORE installer]] or [[#Uploading_an_emCORE_binary|Uploading an emCORE binary]]) in order to recover your [[emCORE]] installation. ==[[Classic_1G|Classic 1G]] / [[Classic_2G|Classic 2G]] / [[Classic_3G|Classic 3G]]== The DFU mode of the Classics is supported by iTunes. So you should always be able to enter DFU (holding MENU+SELECT for 10-15 seconds while connected to USB), and either restore with iTunes, or (re)install [[emCORE]] If you're unable to enter DFU, please [[Contact|contact us]]. 83de2f18d8ad37d715de27258d57e42d6a32adc6 3975 3974 2011-08-18T11:11:52Z User890104 124 wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==[[Nano_2G|Nano 2G]]== After installing or updating [[emCORE]], your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from [[SVN|the SVN]], a [http://www.python.org/ Python] interpreter, [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyUSB] and [http://files.freemyipod.org/misc/windows_driver.zip a driver] (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/emcore/trunk/tools/ this folder]. ===Recovery mode=== Sometimes [[emCORE]] may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter [[emCORE]] Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an [[emCORE]] build directly to manually fix the problem, or reinstall [[emCORE]], in case the problem was caused by a failed update. ====Uploading an [[emCORE]] installer==== After that, you need an installer binary. You can get the official version from [[EmCORE_Releases|the releases page]] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python emcoreldr.py run installer-*.ubi</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.ubi to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your [[emCORE]] installation. ====Uploading an [[emCORE]] binary==== You will need a known-working [[emCORE]] build, you can use one that you have built yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), grab the latest from [http://builds.freemyipod.org/ the build server] by selecting the "ubi" link for the device you need ('''not recommended''' because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python emcoreldr.py run emcore-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading emcore-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an [[emCORE]] console on your iPod's screen. It will say somethins similar to this: <pre>emCORE vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the emcore.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an [[emCORE]] Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains [[emCORE]] Loader. You can build one yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), or download it [http://files.freemyipod.org/tmp/emcoreldr-ipodnano2g.dfu here]. Then you put it in the same folder as ipoddfu.py, '''<big>turn your iPod's HOLD switch on</big>''' and enter the following command: <pre>python ipoddfu.py emcoreldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in [[emCORE]] Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> Next, you need to upload and run another copy of [[emCORE]] Loader at a different address. You can build the required file yourself, or download it [http://files.freemyipod.org/tmp/emcoreldr-ipodnano2g.bin here] and then upload it to your device using the following commands: <pre>python emcoreldr.py upload 0x22000000 emcoreldr-ipodnano2g.bin python emcoreldr.py execute 0x22000000 0x00000000</pre> If everything goes fine, the display will show the same text as before entering these commands.You can proceed with the instructions from the previous sections ([[#Uploading_an_emCORE_installer|Uploading an emCORE installer]] or [[#Uploading_an_emCORE_binary|Uploading an emCORE binary]]) in order to recover your [[emCORE]] installation. ==[[Classic_1G|Classic 1G]] / [[Classic_2G|Classic 2G]] / [[Classic_3G|Classic 3G]]== ===Recovery Mode=== Since the Classics have DFU, recovery mode is not implemented. ===DFU Mode=== The DFU mode of the Classics is supported by iTunes. So you should always be able to enter DFU (holding MENU+SELECT for 10-15 seconds while connected to USB), and either restore with iTunes, or [[EmCORE_Installation|(re)install emCORE]] If you're unable to enter DFU, please [[Contact|contact us]]. 2b2ce7af40a831fcaa850d7cc7c37fcf07ff9f53 0 268 3947 3893 2011-07-10T19:58:55Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- |rowspan="2"| <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> | Nano4G EFI || DxeD1759:40081234 |- | Nano3G EFI || DxeD1671:40030FAC, table entries: * +0 pmu_read(void *this, char reg, unsigned int size, void *data) * +4 pmu_write(void *this, char reg, unsigned int size, void *data) |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI, Nano3G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI, Nano3G EFI || Cpu:400A06F4 (Nano4G) (on Nano3G: some EFI_CPU_ARCH_PROTOCOL with two additional functions) |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI, Nano3G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice, Nano 4G) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- | <0xFB990276, 0x17F7, 0x421D, 0x320C8C99, 0xE9713B76> || Nano4G EFI || ShellCommand:405A0470 |- |} 98007d4c9090c1c02404d92a30374410dc585dd6 3948 3947 2011-07-10T20:18:41Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- |rowspan="2"| <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> | Nano4G EFI || DxeD1759:40081234 |- | Nano3G EFI || DxeD1671:40030FAC, table entries: * +0 pmu_read(void *this, char reg, unsigned int size, void *data) * +4 pmu_write(void *this, char reg, unsigned int size, void *data) |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI, Nano3G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI, Nano3G EFI || Cpu:400A06F4 (Nano4G) (on Nano3G: some EFI_CPU_ARCH_PROTOCOL with two additional functions) |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI, Nano3G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice, Nano 4G) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- | <0xE8A9E232, 0x1708, 0x476D, 0xB10CDB9A, 0x20D9902E> || Nano4G EFI || DxeD1759Diagnostic:40310684 |- | <0x618BA6A2, 0x690E, 0x4E7A, 0x1AB2E98E, 0xF865A959> || Nano4G EFI || DxeD1759Diagnostic:403106A4 |-|} 2f13a6b84380d98305ac7e5c2ae3808f8672f351 3949 3948 2011-07-10T20:29:05Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano3G EFI || DxeD1671:40030FAC, table entries: * +0 pmu_read(void *this, char reg, unsigned int size, void *data) * +4 pmu_write(void *this, char reg, unsigned int size, void *data) |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI, Nano3G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI, Nano3G EFI || Cpu:400A06F4 (Nano4G) (on Nano3G: some EFI_CPU_ARCH_PROTOCOL with two additional functions) |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI, Nano3G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice, Nano 4G) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- | <0xE8A9E232, 0x1708, 0x476D, 0xB10CDB9A, 0x20D9902E> || Nano4G EFI || DxeD1759Diagnostic:40310684 |- | <0x618BA6A2, 0x690E, 0x4E7A, 0x1AB2E98E, 0xF865A959> || Nano4G EFI || DxeD1759Diagnostic:403106A4 |-|} 1b90d07eca56988ea369e8246ca56198c26553d5 3950 3949 2011-07-10T20:31:46Z TheSeven 13 wikitext text/x-wiki {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano3G EFI || DxeD1671:40030FAC, table entries: * +0 pmu_read(void *this, char reg, unsigned int size, void *data) * +4 pmu_write(void *this, char reg, unsigned int size, void *data) |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI, Nano3G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI, Nano3G EFI || Cpu:400A06F4 (Nano4G) (on Nano3G: some EFI_CPU_ARCH_PROTOCOL with two additional functions) |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI, Nano3G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice, Nano 4G) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- | <0xE8A9E232, 0x1708, 0x476D, 0xB10CDB9A, 0x20D9902E> || Nano4G EFI || DxeD1759Diagnostic:40310684 |- | <0x618BA6A2, 0x690E, 0x4E7A, 0x1AB2E98E, 0xF865A959> || Nano4G EFI || DxeD1759Diagnostic:403106A4 |- | <0x3622282D, 0xC57F, 0x4A7A, 0xD137CAAD, 0x2233AF3C> || Nano4G EFI || Swif:405F02E0 |-|} 6fe22e90f2faa7275d36ec9827e0d4146dc4a302 3955 3950 2011-07-14T17:12:28Z Benedikt93 145 wikitext text/x-wiki = Nano 3G EFI = {| class="wikitable prettytable sortable" |+ List of EFI protocol GUIDs found in the Nano 3G EFI |- ! GUID !! Description |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> | GUID at DxeD1671 +0x103C, registered at DxeD1671 +0x6F6, interface (at DxeD1671 +0xFAC): * +0 pmu_read(void *this, char reg, unsigned int size, void *data); * +4 pmu_write(void *this, char reg, unsigned int size, void *data); |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> | GUID at Cpu +0x8E0, registered at Cpu +0x37C, interface (at Cpu +0x894): * +0 int disable_MMU_and_Caches(void* this); * +4 int enable_MMU_and_Caches(void* this); |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> | GUID at Cpu +0x8C4, registered at Cpu +0x37C, interface (at Cpu +0x89C): [http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL] |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> | GUID at DxeSmbus +0x6D8, registered at DxeSmbus +0x404, interface (at DxeSmbus +0x6BC): [http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL] |- |} = Nano 4G EFI = {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI || Cpu:400A06F4 |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- | <0xE8A9E232, 0x1708, 0x476D, 0xB10CDB9A, 0x20D9902E> || Nano4G EFI || DxeD1759Diagnostic:40310684 |- | <0x618BA6A2, 0x690E, 0x4E7A, 0x1AB2E98E, 0xF865A959> || Nano4G EFI || DxeD1759Diagnostic:403106A4 |- | <0x3622282D, 0xC57F, 0x4A7A, 0xD137CAAD, 0x2233AF3C> || Nano4G EFI || Swif:405F02E0 |- |} b19d53c94a430f58ab70d19f5e3895117b2e25b7 3956 3955 2011-07-14T17:20:36Z Benedikt93 145 wikitext text/x-wiki = Nano 3G EFI = {| class="wikitable prettytable sortable" |+ List of EFI protocol GUIDs found in the Nano 3G EFI |- ! GUID !! Description |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> | GUID at DxeD1671 +0x103C, registered at DxeD1671 +0x6F6, interface (at DxeD1671 +0xFAC): * +0 pmu_read(void *this, char reg, unsigned int size, void *data); * +4 pmu_write(void *this, char reg, unsigned int size, void *data); |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> | GUID at Cpu +0x8E0, registered at Cpu +0x37C, interface (at Cpu +0x894): * +0 int disable_MMU_and_Caches(void* this); * +4 int enable_MMU_and_Caches(void* this); |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> | GUID at Cpu +0x8C4, registered at Cpu +0x37C, interface (at Cpu +0x89C): [http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL] |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> | GUID at DxeSmbus +0x6D8, registered at DxeSmbus +0x404, interface (at DxeSmbus +0x6BC): [http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL] |- | <0x26BACCB2, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> | GUID at S5L8900Metronome +0x4FC, registered at S5L8900Metronome +0x246, interface (at S5L8900Metronome +0x4F4): [http://www.cse.msu.edu/~austinro/dox/html/struct___e_f_i___m_e_t_r_o_n_o_m_e___a_r_c_h___p_r_o_t_o_c_o_l.html _EFI_METRONOME_ARCH_PROTOCOL], TickPeriod = 10 |- |} = Nano 4G EFI = {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI || Cpu:400A06F4 |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- | <0xE8A9E232, 0x1708, 0x476D, 0xB10CDB9A, 0x20D9902E> || Nano4G EFI || DxeD1759Diagnostic:40310684 |- | <0x618BA6A2, 0x690E, 0x4E7A, 0x1AB2E98E, 0xF865A959> || Nano4G EFI || DxeD1759Diagnostic:403106A4 |- | <0x3622282D, 0xC57F, 0x4A7A, 0xD137CAAD, 0x2233AF3C> || Nano4G EFI || Swif:405F02E0 |- |} 3bc5be96195d654014dd9c2c971180305ff0ed0f 0 354 3958 3843 2011-07-21T22:06:47Z User890104 124 wikitext text/x-wiki Please choose the option that you feel more comfortable with: * [[EmCORE Installation/iPodClassic/InstalliTunes|Install iTunes]] * [[EmCORE Installation/iPodClassic/DFUNoiTunes|Install a custom device driver for the iPod (advanced users only)]] fcb4ef8fc760b26449ba24dd7f843d590136936f 0 244 3970 3297 2011-08-12T08:27:15Z User890104 124 fix dead url wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | [http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/DATASHEET/CD00213611.pdf LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 53515a2c786431acea3c69812fbe79a97d52b25e 1 372 3971 2011-08-13T17:31:00Z Bbthatsme 329 Created page with "Is there anything in the works to allow macs to be able to see UMSBoot? Is it just a special type of file system that macs dont recognize? All I would need to do is put files on ..." wikitext text/x-wiki Is there anything in the works to allow macs to be able to see UMSBoot? Is it just a special type of file system that macs dont recognize? All I would need to do is put files on and take files off, what needs to be done before this is possible? 9b606e8930aae71abdec26e875c8dbf738014983 3972 3971 2011-08-15T08:21:11Z User890104 124 wikitext text/x-wiki Is there anything in the works to allow macs to be able to see UMSBoot? Is it just a special type of file system that macs dont recognize? All I would need to do is put files on and take files off, what needs to be done before this is possible? :Please join our [[Contact#.23freemyipod-support|support IRC channel]], so we can think up of something. --[[User:User890104|User890104]] 08:21, 15 August 2011 (UTC) f4eeccdddb840e3734ec09ecc849bfa42502f528 0 295 3980 3975 2011-08-19T17:03:47Z User890104 124 wikitext text/x-wiki Sometimes your iPod may get into an unusable state, which is often called "bricked". It does not mean that your device is permanently broken, it means that you should follow the instructions that describe best your case. Different devices have different methods for getting out of a "bricked" condition. Here is a summary of each device and the conditions that it may get into. ==[[Nano_2G|Nano 2G]]== After installing or updating [[emCORE]], your iPod may not complete the flashing process successfully. This will lead to a unfinished installation which does not work as expected. To recover your device you will need some Python scripts from [[SVN|the SVN]], a [http://www.python.org/ Python] interpreter, [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyUSB] and [http://files.freemyipod.org/misc/windows_driver.zip a driver] (for Windows only). You can get the script by checking out [http://svn.freemyipod.org/emcore/trunk/tools/ this folder]. ===Recovery mode=== Sometimes [[emCORE]] may not finish loading and crash before showing the menu, because you have installed a faulty build (for example, when making changes and then building the code yourself). In this case, you need to enter [[emCORE]] Loader's Recovery mode. ====Getting to Recovery mode==== Restart your iPod by holding MENU+SELECT until the screen turns off, then '''immediately''' turn the HOLD switch on. If you manage to do this fast enough, your iPod will show some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> At that point you can either run an [[emCORE]] build directly to manually fix the problem, or reinstall [[emCORE]], in case the problem was caused by a failed update. ====Uploading an [[emCORE]] installer==== After that, you need an installer binary. You can get the official version from [[EmCORE_Releases|the releases page]] or build one yourself. Place it in the same folder as the previous files, then run: <pre>python emcoreldr.py run installer-*.ubi</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see something similar to that in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading installer-XXXXX.ubi to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Your iPod should launch the installer program. Follow the instructions on the screen to update your [[emCORE]] installation. ====Uploading an [[emCORE]] binary==== You will need a known-working [[emCORE]] build, you can use one that you have built yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), grab the latest from [http://builds.freemyipod.org/ the build server] by selecting the "ubi" link for the device you need ('''not recommended''' because they might not have been tested yet), or ask on IRC for one. After you get one and place it in the same folder as the scripts, you can proceed with the following command: <pre>python emcoreldr.py run emcore-ipodnano2g.bin</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see this text in your terminal window: <pre>Connected to emCORE Loader Recovery Mode on iPod Nano 2G, USB version 1 Uploading emcore-ipodnano2g.bin to 0x 8000000..... done Passing control to code at 0x 8000000... done</pre> Then, you will (hopefully) see an [[emCORE]] console on your iPod's screen. It will say somethins similar to this: <pre>emCORE vX.X.X rXXX Waiting for USB commands</pre> If everything goes as described here, you can connect to your device using the emcore.py script. ===DFU Mode=== If something goes terribly wrong and your iPod does not display any contents on the screen when powering on, it means that it is in Bootrom DFU mode. This mode is a last resort for recovering your device. ====Uploading an [[emCORE]] Loader==== First, you need to checkout [http://svn.freemyipod.org/tools/ipoddfu/ this folder]. Then you need a DFU image that contains [[emCORE]] Loader. You can build one yourself (but only if you have access to a working [[Nano_2G|Nano 2G]]), or download it [http://files.freemyipod.org/tmp/emcoreldr-ipodnano2g.dfu here]. Then you put it in the same folder as ipoddfu.py, '''<big>turn your iPod's HOLD switch on</big>''' and enter the following command: <pre>python ipoddfu.py emcoreldr-ipodnano2g.dfu</pre> (if you are on *nix, you may need to prefix it with "sudo" or run it from a root shell) You should see the following text in your terminal: <pre>Connected to S5L8701 Bootrom DFU mode, USB version 1 Upload: ..... done</pre> Then your iPod should be in [[emCORE]] Loader's recovery mode. You can confirm that by looking at your device's display. It should print some text, similar to the following: <pre>emCORE Loader vX.X.X rXXX Switch HOLD on for recovery Entered recovery mode Connect via USB</pre> If everything goes fine, you can proceed with the instructions from the previous sections ([[#Uploading_an_emCORE_installer|Uploading an emCORE installer]] or [[#Uploading_an_emCORE_binary|Uploading an emCORE binary]]) in order to recover your [[emCORE]] installation. ==[[Classic_1G|Classic 1G]] / [[Classic_2G|Classic 2G]] / [[Classic_3G|Classic 3G]]== ===Recovery Mode=== Since the Classics have DFU, recovery mode is not implemented. ===DFU Mode=== The DFU mode of the Classics is supported by iTunes. So you should always be able to enter DFU (holding MENU+SELECT for 10-15 seconds while connected to USB), and either restore with iTunes, or [[EmCORE_Installation|(re)install emCORE]] If you're unable to enter DFU, please [[Contact|contact us]]. 27dbd33c87efb9abcff716380d57159c09fa1f75 0 121 3982 3789 2011-08-22T21:35:39Z User890104 124 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[EmCORE_Installation|emCORE Installer]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> b9f30e9585ecda0bda962256e87eef8b1b92628d 3983 3982 2011-08-22T21:41:11Z User890104 124 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[EmCORE_Installation|emCORE Installer]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> 9d6493b86faf17bf61b18dad0eb68baa6273f1ec 4003 3983 2011-09-11T13:13:02Z User890104 124 add RTC wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[EmCORE_Installation|emCORE Installer]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> cb82577e2c9b99d474167e4b2571d398b5a5381c 4008 4003 2011-09-24T14:18:05Z User890104 124 wikitext text/x-wiki This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | style="background-color: #ddd" | [[EmCORE_Installation|emCORE Installer]] | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> 55b0c1ffd230c23d84e6edc0aa5266f47fa2c66e 1 356 3984 3979 2011-08-23T07:58:43Z Jkbuha 293 /* Classic and RGB666 capabilities */ new section wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. ::: There is no plan. Really. The developers decide to spend their own free time to improve the code, and when there are some major changes, or a serious bug is found and fixed, a release comes out. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) Guys! Any update on this (: Please... :There are automated builds of the current source at [http://builds.freemyipod.org/ builds.freemyipod.org] for the impatient, but there aren't so many changes/improvements since the last release, and there are some bugs that aren't fixed yet. So please use the latest release builds, to avoid any issues. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl ::: Hi Vasyl - try the thrum or throb settings with any decent headgear and you'll see the difference. You may have to modify the freq response a bit to match the dynamic response of your own headphones, but it's way better than the default settings. With regards to r755, you need to build, modify and compile the code yourself off the svn, and you'd most likely need to have some flavour of linux installed as your primary (or virtual) os. If you're not familiar with basic code development it would probably be best to wait until /7 or someone else releases a more updated EmCORE version, ideally with some better lcd and ide handling (my drive groans awfully when seeking long tracks, unlike apple's firmware). But r755 (and r708) are way better than the original apple software! ::: Cheers jkbuha :::: Hi Jkbuha. Tnx for your reply. I'm famular a bit with open-source os like linux/unix and with basic code dev since working on IT-field. Will try to give it a push once get a chance. Tnx again! :::: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update ::: So, could you recommend to use last build from http://download.rockbox.org/daily/ipodclassic/ ? :::: Since Rockbox on the classics is still flagged as Unusable, there aren't any stable/release builds for these. Your best bet would be using the current build, which is located at http://build.rockbox.org/data/rockbox-ipodclassic.zip (this url always points at the most recent build). And again, these are completely untested, and you run them on your own risk. Be warned! --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) == Classic and RGB666 capabilities == Hi TheSeven/User890104 I know this is not about an 'official' EmCORE release, but I need to flag it up to the development team just in case. As of r746 my ipod6g (classic) w/ emcore does not initialise rockbox correctly. EmCORE loads up perfectly, but when Rockbox is selected a few garbled pixels are displayed at the top left hand corner and the LCD is never properly initialised. Rockbox is still fully functional though (play/seek/usb/etc) but the display doesn't work. I seem to have tracked the culprit down to a change in the RGB666 driver in r746&r747, and having reverted the changes from the SVN, I can successfully build any version which works well, up to the most recent build (r764). The latest 'vanilla' svn version r764 still doesn't work properly on my ipod6g, so I wanted to flag this up just in case you may be using some slightly different hardware to test any 6g functionality. On another note - great work so far - I'm really impressed with the work & functionality to date - can't wait for some new snazzy features such as piezo, better pm and proper undervolting again! Hope this helps! Cheers jkbuha 2b8fde3410ae9dc442aad5c9cd0e70be77889581 3985 3984 2011-08-23T08:26:27Z User890104 124 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. ::: There is no plan. Really. The developers decide to spend their own free time to improve the code, and when there are some major changes, or a serious bug is found and fixed, a release comes out. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) Guys! Any update on this (: Please... :There are automated builds of the current source at [http://builds.freemyipod.org/ builds.freemyipod.org] for the impatient, but there aren't so many changes/improvements since the last release, and there are some bugs that aren't fixed yet. So please use the latest release builds, to avoid any issues. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl ::: Hi Vasyl - try the thrum or throb settings with any decent headgear and you'll see the difference. You may have to modify the freq response a bit to match the dynamic response of your own headphones, but it's way better than the default settings. With regards to r755, you need to build, modify and compile the code yourself off the svn, and you'd most likely need to have some flavour of linux installed as your primary (or virtual) os. If you're not familiar with basic code development it would probably be best to wait until /7 or someone else releases a more updated EmCORE version, ideally with some better lcd and ide handling (my drive groans awfully when seeking long tracks, unlike apple's firmware). But r755 (and r708) are way better than the original apple software! ::: Cheers jkbuha :::: Hi Jkbuha. Tnx for your reply. I'm famular a bit with open-source os like linux/unix and with basic code dev since working on IT-field. Will try to give it a push once get a chance. Tnx again! :::: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update ::: So, could you recommend to use last build from http://download.rockbox.org/daily/ipodclassic/ ? :::: Since Rockbox on the classics is still flagged as Unusable, there aren't any stable/release builds for these. Your best bet would be using the current build, which is located at http://build.rockbox.org/data/rockbox-ipodclassic.zip (this url always points at the most recent build). And again, these are completely untested, and you run them on your own risk. Be warned! --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) == Classic and RGB666 capabilities == Hi TheSeven/User890104 I know this is not about an 'official' EmCORE release, but I need to flag it up to the development team just in case. As of r746 my ipod6g (classic) w/ emcore does not initialise rockbox correctly. EmCORE loads up perfectly, but when Rockbox is selected a few garbled pixels are displayed at the top left hand corner and the LCD is never properly initialised. Rockbox is still fully functional though (play/seek/usb/etc) but the display doesn't work. I seem to have tracked the culprit down to a change in the RGB666 driver in r746&r747, and having reverted the changes from the SVN, I can successfully build any version which works well, up to the most recent build (r764). The latest 'vanilla' svn version r764 still doesn't work properly on my ipod6g, so I wanted to flag this up just in case you may be using some slightly different hardware to test any 6g functionality. On another note - great work so far - I'm really impressed with the work & functionality to date - can't wait for some new snazzy features such as piezo, better pm and proper undervolting again! Hope this helps! Cheers jkbuha : Hello jkbuha, [http://www.rockbox.org/tracker/task/12233 this patch] makes Rockbox compatible with the RGB666 driver of emCORE, so if you apply it to your Rockbox source, the display would work fine. --[[User:User890104|User890104]] 08:26, 23 August 2011 (UTC) 62fc4e415d90def9e8af4c96dd325e3288ad5fc3 3986 3985 2011-08-23T16:06:02Z Jkbuha 293 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. ::: There is no plan. Really. The developers decide to spend their own free time to improve the code, and when there are some major changes, or a serious bug is found and fixed, a release comes out. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) Guys! Any update on this (: Please... :There are automated builds of the current source at [http://builds.freemyipod.org/ builds.freemyipod.org] for the impatient, but there aren't so many changes/improvements since the last release, and there are some bugs that aren't fixed yet. So please use the latest release builds, to avoid any issues. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl ::: Hi Vasyl - try the thrum or throb settings with any decent headgear and you'll see the difference. You may have to modify the freq response a bit to match the dynamic response of your own headphones, but it's way better than the default settings. With regards to r755, you need to build, modify and compile the code yourself off the svn, and you'd most likely need to have some flavour of linux installed as your primary (or virtual) os. If you're not familiar with basic code development it would probably be best to wait until /7 or someone else releases a more updated EmCORE version, ideally with some better lcd and ide handling (my drive groans awfully when seeking long tracks, unlike apple's firmware). But r755 (and r708) are way better than the original apple software! ::: Cheers jkbuha :::: Hi Jkbuha. Tnx for your reply. I'm famular a bit with open-source os like linux/unix and with basic code dev since working on IT-field. Will try to give it a push once get a chance. Tnx again! :::: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update ::: So, could you recommend to use last build from http://download.rockbox.org/daily/ipodclassic/ ? :::: Since Rockbox on the classics is still flagged as Unusable, there aren't any stable/release builds for these. Your best bet would be using the current build, which is located at http://build.rockbox.org/data/rockbox-ipodclassic.zip (this url always points at the most recent build). And again, these are completely untested, and you run them on your own risk. Be warned! --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) == Classic and RGB666 capabilities == Hi TheSeven/User890104 I know this is not about an 'official' EmCORE release, but I need to flag it up to the development team just in case. As of r746 my ipod6g (classic) w/ emcore does not initialise rockbox correctly. EmCORE loads up perfectly, but when Rockbox is selected a few garbled pixels are displayed at the top left hand corner and the LCD is never properly initialised. Rockbox is still fully functional though (play/seek/usb/etc) but the display doesn't work. I seem to have tracked the culprit down to a change in the RGB666 driver in r746&r747, and having reverted the changes from the SVN, I can successfully build any version which works well, up to the most recent build (r764). The latest 'vanilla' svn version r764 still doesn't work properly on my ipod6g, so I wanted to flag this up just in case you may be using some slightly different hardware to test any 6g functionality. On another note - great work so far - I'm really impressed with the work & functionality to date - can't wait for some new snazzy features such as piezo, better pm and proper undervolting again! Hope this helps! Cheers jkbuha : Hello jkbuha, [http://www.rockbox.org/tracker/task/12233 this patch] makes Rockbox compatible with the RGB666 driver of emCORE, so if you apply it to your Rockbox source, the display would work fine. --[[User:User890104|User890104]] 08:26, 23 August 2011 (UTC) :: Hi User890104 that works a treat! Just out of interest, what are the benefits of enabling RGB666 capabilities - better colour, power usage? Cheers jkbuha 40409ece9f214196b4adc3ad614a51d57a5f87f4 3987 3986 2011-08-24T16:17:59Z User890104 124 wikitext text/x-wiki == Nano 2G == So are there instructions to getting this on my 2G nano. I would really like to test this. : Please see here: [[EmCORE_Installation/iPodNano2G]] [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) == Voltage reduction on classic == ''Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected.'' Is it good or bad? (: : In general, this is bad (and should eventually be handled differently) as the CPU now consumes more power than actually necesarry, but for now, it solves problems where it didn't work properly due to a too low voltage. --[[User:Benedikt93|Benedikt93]] 13:03, 2 May 2011 (UTC) ==Next release== When next release is planned to be out? : When some of the remaining bugs are fixed. [[User:User890104|User890104]] 20:23, 25 May 2011 (UTC) :: I mean not specific dates but at list some more general info. Like - it'll planned to be out in week or two (: Hoping sound quality bug will be fixed as well... At least a bit. Tnx. Vasyl. ::: There is no plan. Really. The developers decide to spend their own free time to improve the code, and when there are some major changes, or a serious bug is found and fixed, a release comes out. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) Guys! Any update on this (: Please... :There are automated builds of the current source at [http://builds.freemyipod.org/ builds.freemyipod.org] for the impatient, but there aren't so many changes/improvements since the last release, and there are some bugs that aren't fixed yet. So please use the latest release builds, to avoid any issues. --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) == Sound Quality Improvements == Hey! Are there any sound quality improvements planned to be done? Maybe some hardware twiks. New ipod chip really sux! I've got some talk with the7 due to this issue, but topic seems to be deleted http://www.freemyipod.org/wiki/Talk:IPod_Classic_iLoader_Installation#iPod_Classic_Sound_Quality Some interesting material due to this http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html http://www.redwineaudio.com/products/imod Tnx Vasyl : Sound Update : Hi Vasyl : Good reading info - thanks! I had similar problems (bit of an audiophile meself) but I've used the BioEq libraries: http://www.head-fi.org/wiki/bioeq-rockbox and they work great both with my sennheiser headphones as well as my philips dock. The sound has a natural fullness now, which is improved once you adjust the freq response to the natural response of the speakers. : I'm now running an undervolted ipod classic with emcore r755 (note: the latest rgb666 changes don't work for all ipod6gs apparently - had to comment mine out as rb screens weren't initalising properly) getting 10+ hours off a single charge with great sound. : Hope this helps! : Cheers : jkbuha :: Thank u so much Jkbuha!! I'm giving it a try right away! :: Vasyl :: Okay. Thats installed. I'll try to give it a push with some tweaks, 'cause default settings with native BioEQ didn't impress me much, actually. Jkbuha, i didn't get about EmCORE r755 release, since last build I see on release page is r708: April 24th, 2011. Did I miss smtn? Tnx :: Vasyl ::: Hi Vasyl - try the thrum or throb settings with any decent headgear and you'll see the difference. You may have to modify the freq response a bit to match the dynamic response of your own headphones, but it's way better than the default settings. With regards to r755, you need to build, modify and compile the code yourself off the svn, and you'd most likely need to have some flavour of linux installed as your primary (or virtual) os. If you're not familiar with basic code development it would probably be best to wait until /7 or someone else releases a more updated EmCORE version, ideally with some better lcd and ide handling (my drive groans awfully when seeking long tracks, unlike apple's firmware). But r755 (and r708) are way better than the original apple software! ::: Cheers jkbuha :::: Hi Jkbuha. Tnx for your reply. I'm famular a bit with open-source os like linux/unix and with basic code dev since working on IT-field. Will try to give it a push once get a chance. Tnx again! :::: Vasyl == Last Rockbox Build == Hey! Can last Rockbox build be installed or RB release is tied to the EmCORE release? : I'm not a Rockbox developer, but I personally haven't had any issues using the latest builds: http://download.rockbox.org/daily/ipodclassic/ Obviously you do so at your own risk as with everything else. It would be nice to have a developer confirm this is okay with the latest EmCORE release. Thanks. :: Tnx! Will be waiting for developers update ::: So, could you recommend to use last build from http://download.rockbox.org/daily/ipodclassic/ ? :::: Since Rockbox on the classics is still flagged as Unusable, there aren't any stable/release builds for these. Your best bet would be using the current build, which is located at http://build.rockbox.org/data/rockbox-ipodclassic.zip (this url always points at the most recent build). And again, these are completely untested, and you run them on your own risk. Be warned! --[[User:User890104|User890104]] 19:21, 18 August 2011 (UTC) == Classic and RGB666 capabilities == Hi TheSeven/User890104 I know this is not about an 'official' EmCORE release, but I need to flag it up to the development team just in case. As of r746 my ipod6g (classic) w/ emcore does not initialise rockbox correctly. EmCORE loads up perfectly, but when Rockbox is selected a few garbled pixels are displayed at the top left hand corner and the LCD is never properly initialised. Rockbox is still fully functional though (play/seek/usb/etc) but the display doesn't work. I seem to have tracked the culprit down to a change in the RGB666 driver in r746&r747, and having reverted the changes from the SVN, I can successfully build any version which works well, up to the most recent build (r764). The latest 'vanilla' svn version r764 still doesn't work properly on my ipod6g, so I wanted to flag this up just in case you may be using some slightly different hardware to test any 6g functionality. On another note - great work so far - I'm really impressed with the work & functionality to date - can't wait for some new snazzy features such as piezo, better pm and proper undervolting again! Hope this helps! Cheers jkbuha : Hello jkbuha, [http://www.rockbox.org/tracker/task/12233 this patch] makes Rockbox compatible with the RGB666 driver of emCORE, so if you apply it to your Rockbox source, the display would work fine. --[[User:User890104|User890104]] 08:26, 23 August 2011 (UTC) :: Hi User890104 that works a treat! Just out of interest, what are the benefits of enabling RGB666 capabilities - better colour, power usage? Cheers jkbuha ::: I'm not really sure, i think it allows more colors to be displayed. You can ask on IRC - our channel is listed in the [[Contact]] page --[[User:User890104|User890104]] 16:17, 24 August 2011 (UTC) 230228cfe60fb40b9c2fb86edc9e8f04f549725a 0 256 3988 3304 2011-08-25T12:51:41Z Farthen 28 wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 5G]] since we have no means of execution on that device. If you do find such a bug, report it via private message on IRC to a main developer. DO NOT, I repeat, DO NOT, exclaim the bug to the world on a public IRC channel or mailing list. We made this mistake with the [[Notes vulnerability]]. As a result, Apple patched it on the [[Nano 4G]] and even patched the original firmware on the [[Nano 5G]] (thus making it impossible to downgrade to a vulnerable firmware). ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. 1f40360fd0a4da18d04b48349ba199b2e853c7f0 2 328 3989 3751 2011-08-28T13:43:58Z User890104 124 wikitext text/x-wiki My name is Vencislav Atanasov. I am from Bulgaria. I enjoy writing pieces of software, mainly to improve my experience and knowledge. I own some iPods - a 2G Nano, a 3G Nano and a 4G Nano. I am providing the project with iPod Nano 2G and iPod classic emCORE installer builds, which are not suitable for everyday use, but if you feel adventurous, you can try them on your device. Detailed instruction on how to do this are available in the wiki. The binaries can be found at http://builds.freemyipod.org/ I am also working on a project that would provide easy access to iPod's internal storage using emCORE's monitor protocol, libusb and FUSE. It is still a proof-of-concept, so it's not even usable. If you are curious about my current progress, you can check it out at http://svn.sofyma.com/svn/Venci/emcorefs/trunk/ I would be happy to help anyone who has issues with his emCORE installation on a Nano 2G (because I have a device of that model). Please ask in the IRC channel, and if I am available, I'll try to answer your question. a703c2ebd7e15ab989bfac4a6751dcc033d02751 3991 3989 2011-08-28T13:51:40Z User890104 124 wikitext text/x-wiki My name is Vencislav Atanasov. I am from Bulgaria. I enjoy writing pieces of software, mainly to improve my experience and knowledge. I own some iPods - a 2G Nano, a 3G Nano and a 4G Nano. I am providing the project with iPod Nano 2G and iPod classic emCORE installer builds, which are not suitable for everyday use, but if you feel adventurous, you can try them on your device. Detailed instruction on how to do this are available in the wiki. The binaries can be found at http://builds.freemyipod.org/ I am also working on a project that would provide easy access to iPod's internal storage using emCORE's monitor protocol, libusb and FUSE. It is still a proof-of-concept, so it's not even usable. If you are curious about my current progress, you can check it out at http://svn.sofyma.com/svn/Venci/emcorefs/trunk/ I would be happy to help anyone who has issues with his emCORE installation on a Nano 2G (because I have a device of that model). Please ask in the IRC channel, and if I am available, I'll try to answer your question. [[File:Signature-user890104.gif]] 5652b5034cf680e953f1cd987168fd4860e74a74 3994 3991 2011-09-03T21:10:43Z User890104 124 wikitext text/x-wiki My name is Vencislav Atanasov. I am from Bulgaria. I enjoy writing pieces of software, mainly to improve my experience and knowledge. I own some iPods - a 2G Nano, a 3G Nano and a 4G Nano. I am providing the project with iPod Nano 2G and iPod classic emCORE installer builds, which are not suitable for everyday use, but if you feel adventurous, you can try them on your device. Detailed instruction on how to do this are available in the wiki. The binaries can be found at http://builds.freemyipod.org/ I am also working on a project that would provide easy access to iPod's internal storage using emCORE's monitor protocol, libusb and FUSE. It is working somehow, but it's still incomplete and needs to be optimised. If you are curious about my current progress, you can check it out at [http://svn.freemyipod.org/emcore/trunk/tools/emcorefs/ the SVN] I would be happy to help anyone who has issues with his emCORE installation on a Nano 2G (because I have a device of that model). Please ask in the IRC channel, and if I am available, I'll try to answer your question. [[File:Signature-user890104.gif]] 345808d26eb388bb2c8574a2b89f9163f10b7d97 6 375 3990 2011-08-28T13:50:34Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 341 3993 3917 2011-09-03T17:16:43Z User890104 124 wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Your device is vaguely similar to other devices that [[emCORE]] supports, and [[emCORE]] can already be booted on it from a RAMDISK, but a significant amount of work remains before it can be permanently installed and access the device's flash memory. Until this work is done, the [[emCORE]] port to this device isn't of much use. ==Running [[emCORE]] from the RAM== As of now the only way to execute code on the [[Nano_4G|Nano 4G]] is through the [[Notes_vulnerability|Notes vulnerability]] and with [[Pwnage 2.0]]. Since the [[Pwnage 2.0]] method requires the LCD to be initialised by our code (and that code is not working as expected at the moment), it is recommended to use the [[Notes_vulnerability|Notes vulnerability]] method. The only working note at the moment is an [[IBugger#iBugger_Loader|iBugger loader]]. '''Attention''': The [[Notes_vulnerability|Notes vulnerability]] was patched in the v1.0.4 firmware update of the [[Nano_4G|Nano 4G]]. You need to [[Firmware_downgrading | downgrade to v1.0.3]] to still use the Notes vulnerability. To run [[IBugger#iBugger_Loader|iBugger loader]] download the [http://files.freemyipod.org/targets/iPod%20nano%204g/n4g_ibugger_libusb1.zip Nano 4G iBugger package]. To use the scripts in there you need a working [[Toolchain#Python_Scripts|Python Toolchain]] Simply put the "n4g-ibugger.bootnote" in the "Notes" directory of your [[Nano_4G|Nano 4G]] and safely remove it. A Mandelbrot set should be displayed on the screen with some text stating it is Unified [[IBugger#iBugger_Loader|iBugger loader]] v0.1.1 running on [[Nano_4G|Nano 4G]]. You can get a recent emCORE build for your device from [http://builds.freemyipod.org/ the builds page], or build one yourself. To run [[emCORE]], enter these commands: python ibugger.py upload 08000000 emcore-ipodnano4g-rXYZ.bin python ibugger.py execute 08000000 0a000000 You can then use the [[emCORE]] tools to communicate with [[emCORE]] 7bc0742ebacd0363949a8cc67853412e6ba97d84 0 50 3995 3880 2011-09-04T16:22:44Z User890104 124 add svn activity link wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] '''emCORE installation instructions:''' [[emCORE Installation]] ==Updates== * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emCORE]] ** [[emCORE Monitor Protocol]] * [[emBIOS]] ** [[emBIOS Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} fe09cdf6cf04e824ccec9470e8b7f53770008a08 4002 3995 2011-09-10T19:23:27Z Farthen 28 /* Released Software */ wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] '''emCORE installation instructions:''' [[emCORE Installation]] ==Updates== * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iLoader]] * [[iBugger]] * [[emCORE]] ** [[emCORE Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} f9d17a76f6f70702d65e65e7ba9ebe255d94037f 4004 4002 2011-09-11T19:59:51Z User890104 124 add emcore releases wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] '''emCORE installation instructions:''' [[emCORE Installation]] ==Updates== * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 43bcf05352d9bc73f3dbe206b9a36b820182fba9 4009 4004 2011-09-24T14:31:40Z User890104 124 hide old updates and add pre- and post-installation steps wikitext text/x-wiki __NOTOC__ [[File:Iloader_ipc.jpg|115px|thumb|right|[[iLoader]] alpha on the iPod classic]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer: [[Status]] # Follow the installation instructions: [[emCORE Installation]] # Report any bugs you encountered to us: [[Contact]] ==Updates== * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] <!-- *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} e80dfefca441593a795b9fbfe5a6ca07592d947e 0 323 3996 3926 2011-09-04T20:31:22Z User890104 124 wikitext text/x-wiki ==emCORE kernel== emCORE is a lightweight alternative operating system for iPods (and possibly other devices one day). ===Features=== * Preemptive multitasking * Can run multiple independent apps at the same time * Shared library support * USB debugging API * FAT32 file system access * LCD text console and graphics API * Can run other kernels (such as [http://www.rockbox.org/ Rockbox]) through a kexec-like interface * ~75KB executable size, ~110KB RAM usage (plus LCD frame buffer) ==emCORE boot menu== When emCORE is installed, the emCORE boot menu is installed as the default autostart app. Depending on the device it offers various boot options. ==emCORE fastboot== You can use [[Fastboot|fastboot]] in order to launch [http://www.rockbox.org/ Rockbox] even more quickly when the iPod starts. ==emCOREFS== [[emCOREFS]] is a filesystem wrapper around [[EmCORE_Monitor_Protocol|emCORE's Monitor Protocol]] that uses [http://libusb.org/wiki/libusb-1.0 libusb 1.0] to connect to a device running emCORE and [http://fuse.sourceforge.net/ FUSE] to mount its storage in a directory. ==Installation instructions== There's an installation wizard available on [[EmCORE Installation|this page]]. ==Uninstallation instructions== There's an uninstallation wizard available on [[EmCORE Uninstallation|this page]]. f7fdf2bb689edbf4f0825456b0dab2bc0798c0e4 0 377 3997 2011-09-04T20:41:23Z User890104 124 Created page with "emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is still in very early state, but some features (directory listin..." wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is still in very early state, but some features (directory listing, reading files) are done. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC/Make 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 5. maybe other packages ===Compiling=== make - standard build, no debug messages, only fatal errors on startup are shown. make debug - debug build, some debug/error messages are shown. libusb debug messages are enabled, too. ===Testing=== make test - run the build without FUSE debugging messages, going into the background if it connects to the device successfully. make testdebug - run the build in the foreground, showing FUSE debug messages in the terminal. ==Running== You need FUSE >= 2.8 installed. Currently only tested on Linux (Ubuntu 11.04 in my case). Maybe an OSX-compatible version would appear at some point. Starting: ./emcorefs <mountpoint> Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Read-only support at the moment. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. ==Future plans== * Implement write support. * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. 0f3fea0904a39dd05dd5ad497dcda267c072cba0 0 347 3998 3825 2011-09-06T13:49:22Z Crusader 339 translated into correct English wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Safely eject (or unmount on linux) that volume * Disconnect your iPod from your PC * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) * Connect your iPod to your computer * Wait for the iPod's hard disk drive to connect and become accessible (this might take longer than a minute) * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! 7c19b1d9fc739d124c7cd19b0e4afde3b497e416 4011 3998 2011-09-30T20:23:43Z User890104 124 wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Safely eject (or unmount on linux) that volume * Disconnect your iPod from your PC * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) * Connect your iPod to your computer * Wait for the iPod's hard disk drive to connect and become accessible (this might take longer than a minute) * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! Optional: You can install [[fastboot]] so Rockbox boots as soon as the iPod is powered on. c616f42312c93e10af22a29ccd646716eedf7859 4031 4011 2011-10-25T23:37:53Z User890104 124 wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Safely eject (or unmount on linux) that volume * Disconnect your iPod from your PC * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) * Connect your iPod to your computer * Wait for the iPod's hard disk drive to connect and become accessible (this might take longer than a minute) * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! Optional: You can install [[fastboot]] so Rockbox boots as soon as the iPod is powered on. <span style="color: #f00;">'''Be careful with picking up the correct fastboot version, because recovery is difficult on Windows'''</span> f92da72e6f8138887a5491a008561bf5f6a572fd 0 258 4001 3294 2011-09-10T19:22:38Z Farthen 28 wikitext text/x-wiki {{Template:Outdated|reason=emBIOS was discontinued on {{#dateformat:2011-03-25}} and superseded by [[emCORE]]}} This article describes the USB communcation protocol of emBIOS monitor. == Endpoints == The emBIOS Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 1 || emBIOS Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emBIOS itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emBIOS executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 134704a529f970d3b2ad6047181e0a5832d224d8 0 296 4005 3545 2011-09-11T20:16:31Z User890104 124 wikitext text/x-wiki To compile our code and to use our Python scripts that communicate with software running on the target like [[emCORE]] you need some tools: <!-- TODO: Compiler toolchain for ARM cross compiling --> == Python Scripts == To use our Python scripts that communicate with the target via USB you need the following tools: * [http://www.libusb.org/wiki/libusb-1.0 LibUSB v1.x] * [http://www.python.org/download/ A Python version of 2.6 or higher]. Python 3 is '''not''' tested yet and will probably not work. * [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ PyUSB v1.x] <!-- TODO: Installation instructions --> 9c8f8ee29557f9e5526bef3b9d1bf58830aaf790 0 342 4006 3912 2011-09-17T21:17:01Z User890104 124 [22:46:36] <tony_> it dosent say anything about installing it wikitext text/x-wiki Your device is fully supported by [[emCORE]], but there are some bugs left, so it's not yet recommended for end users. If you would like to dualboot [http://www.rockbox.org/ Rockbox] and Apple's firmware, it would be safer to use Rockbox's bootloader or [http://theseven.freemyipod.org/iloader/ iLoader]. If you would like to install [[emCORE]] on your iPod Nano 2G, you can follow the [http://theseven.freemyipod.org/iloader/installation.php iLoader install instructions], but substituting iLoader's .ipodx file with '''installer-ipodnano2g.ipodx''' from [[EmCORE_Releases|the Releases page]]. 949cde86340aedeb2bc7ff53ff709ff5c469edb0 4007 4006 2011-09-17T21:17:32Z User890104 124 wikitext text/x-wiki Your device is fully supported by [[emCORE]], but there are some bugs left, so it's not yet recommended for end users. If you would like to dualboot [http://www.rockbox.org/ Rockbox] and Apple's firmware, it would be safer to use Rockbox's bootloader or [http://theseven.freemyipod.org/iloader/ iLoader]. If you would like to install [[emCORE]] on your iPod Nano 2G, you can follow the [http://theseven.freemyipod.org/iloader/installation.php iLoader install instructions], but substituting iLoader's .ipodx file with '''installer-ipodnano2g.ipodx''' from [[EmCORE_Releases|the Releases page]]. 20643eb279e2a013f29ec6181ef2a402919f55fa 4012 4007 2011-09-30T20:25:32Z User890104 124 wikitext text/x-wiki Your device is fully supported by [[emCORE]], but there are some bugs left, so it's not yet recommended for end users. If you would like to dualboot [http://www.rockbox.org/ Rockbox] and Apple's firmware, it would be safer to use Rockbox's bootloader or [http://theseven.freemyipod.org/iloader/ iLoader]. If you would like to install [[emCORE]] on your iPod Nano 2G, you can follow the [http://theseven.freemyipod.org/iloader/installation.php iLoader install instructions], but substituting iLoader's .ipodx file with '''installer-ipodnano2g.ipodx''' from [[EmCORE_Releases|the Releases page]]. Optional: You can install [[fastboot]] so either Rockbox or OF boots as soon as the iPod is powered on. 12eaa92dd9e7cbf6bff4139a10c27fdcd04ef886 4033 4012 2011-10-25T23:39:56Z User890104 124 wikitext text/x-wiki Your device is fully supported by [[emCORE]], but there are some bugs left, so it's not yet recommended for end users. If you would like to dualboot [http://www.rockbox.org/ Rockbox] and Apple's firmware, it would be safer to use Rockbox's bootloader or [http://theseven.freemyipod.org/iloader/ iLoader]. If you would like to install [[emCORE]] on your iPod Nano 2G, you can follow the [http://theseven.freemyipod.org/iloader/installation.php iLoader install instructions], but substituting iLoader's .ipodx file with '''installer-ipodnano2g.ipodx''' from [[EmCORE_Releases|the Releases page]]. Optional: You can install [[fastboot]] so either Rockbox or OF boots as soon as the iPod is powered on. <span style="color: #f00;">'''Be careful with picking up the correct fastboot version, because recovery is difficult on Windows'''</span> de065237fcb347f0e0c14aa7ab66dc45e1c3a08b 0 346 4010 3951 2011-09-28T20:40:57Z User890104 124 mark the release as broken wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> <s>installer-ipodnano2g.ipodx</s> <small>(this file is broken, please use the one from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 6ad75717674c1c7746fb3b24748516f42296f270 4013 4010 2011-10-01T14:36:29Z Lickyrem980 344 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or <span class="plainlinks">[http://www.diamondlinks.net/<span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">link building</span>] garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> <s>installer-ipodnano2g.ipodx</s> <small>(this file is broken, please use the one from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 9d95054724c46a5ffd26d091ce4ca9655b395e83 4014 4013 2011-10-01T18:55:46Z TheSeven 13 Undo revision 4013 by [[Special:Contributions/Lickyrem980|Lickyrem980]] ([[User talk:Lickyrem980|talk]]) wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> <s>installer-ipodnano2g.ipodx</s> <small>(this file is broken, please use the one from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 6ad75717674c1c7746fb3b24748516f42296f270 4015 4014 2011-10-06T12:58:51Z Luckiong754 345 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> <s>installer-ipodnano2g.ipodx</s> <small>(this file is broken, please use the one from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the <span class="plainlinks">[http://www.diamondlinks.net/<span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">link building</span>] device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> a15c81ec04a000eca5683937483c4711b79aeb98 4016 4015 2011-10-06T17:36:01Z TheSeven 13 Reverted edits by [[Special:Contributions/Luckiong754|Luckiong754]] ([[User talk:Luckiong754|talk]]) to last revision by [[User:TheSeven|TheSeven]] wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> <s>installer-ipodnano2g.ipodx</s> <small>(this file is broken, please use the one from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 6ad75717674c1c7746fb3b24748516f42296f270 4017 4016 2011-10-06T18:11:14Z TheSeven 13 Protected "[[EmCORE Releases]]": Excessive vandalism ([edit=sysop] (indefinite) [move=sysop] (indefinite)) wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> <s>installer-ipodnano2g.ipodx</s> <small>(this file is broken, please use the one from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 6ad75717674c1c7746fb3b24748516f42296f270 4028 4017 2011-10-23T09:49:10Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> <s>installer-ipodnano2g.ipodx</s> <small>(this file is broken, please use the one from the previous release. you can update after installing, using the .ubi file from this release, using UMSboot)</small><br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 2177e6cefc79e6df46f309655db02a39d775e8f1 4029 4028 2011-10-23T17:41:16Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' '''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!''' ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> 4347d39db5e985c5ea34c49691cae9555259934e 4034 4029 2011-10-25T23:42:35Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' <span style="color: #f00;">'''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!'''</span> ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> e31f3a7e90478ed65819987741012f5c2b706445 0 331 4019 3824 2011-10-18T04:38:59Z User890104 124 wikitext text/x-wiki This wizard will guide you through the installation process of [[emCORE]]. <span style="color: #f00;">'''Please follow the instructions closely, step by step. If any doubts arise, please ask for [[Contact|support]] before playing around. You could permanently damage your device!'''</span> '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Please select the type of your device below: * [[EmCORE_Installation/iPod|Apple iPod]] * [[EmCORE_Installation/UnsupportedDevice|Other device type]] f3ac341170c4630e355103a2c147b4f5569a4249 4020 4019 2011-10-18T04:39:16Z User890104 124 wikitext text/x-wiki This wizard will guide you through the installation process of [[emCORE]]. <span style="color: #f00;">'''Please follow the instructions closely, step by step. If any doubts arise, please ask for [[Contact|support]] before playing around. You could permanently damage your device!'''</span> '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Please select the type of your device below: * [[EmCORE_Installation/iPod|Apple iPod]] * [[EmCORE_Installation/UnsupportedDevice|Other device type]] 64cc699b74779b6afb7678a04080cd36fc88c16f 0 352 4021 3877 2011-10-18T04:43:44Z User890104 124 wikitext text/x-wiki * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic_itunes.exe this] file * Connect your iPod to your computer * Make sure iTunes is closed * Kill "AppleMobileDeviceService.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Run bootstrap_ipodclassic_itunes.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 0a16241d1a5204e03635cb164a70cb58951360fb 0 57 4023 3311 2011-10-18T23:25:49Z User890104 124 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the freemyipod SVN at http://svn.freemyipod.org/tools/extract2g/. The Windows and the Linux versions can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw On Nano 4G, you should use the -4 or --4g-compat option in order to dump the correct data from the firmware. This option is considered as a workaround, because the Nano 4G firmwares are detected as Nano 3G's, but the offset is different. To list the files, type in: <pre>extract2g -l -4 dump.img</pre> To extract all files, type in: <pre>extract2g -A -4 dump.img</pre> You should now have 9 files: *appl.fw *bdhw.fw *bdsw.fw *chrg.fw *diag.fw *disk.fw *lbat.fw *osos.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ===Removing header=== Also if you are using the osos.fw outputted by extract2g in iLoader you need to remove the 2 KiB header from it: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Or alternatively, under Windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0x0 to 0x7FF, then delete this region and save. Then put osos.out into /.boot/AppleOS.bin ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 17dfcfa34728d71d10d3d42f5021e4d947d35a1b 4024 4023 2011-10-18T23:26:41Z User890104 124 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the freemyipod SVN at http://svn.freemyipod.org/tools/extract2g/. The Windows and the Linux versions can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw On Nano 4G, you should use the -4 or --4g-compat option in order to dump the correct data from the firmware. This option is considered as a workaround, because the Nano 4G firmwares are detected as Nano 3G's, but the offset is different. To list the files, type in: <pre>extract2g -l -4 dump.img</pre> To extract all files, type in: <pre>extract2g -A -4 dump.img</pre> You should now have 9 files: *appl.fw *bdhw.fw *bdsw.fw *chrg.fw *diag.fw *disk.fw *lbat.fw *osos.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ===Removing header=== Also if you are using the osos.fw outputted by extract2g in [[emCORE]] you need to remove the 2 KiB header from it: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Or alternatively, under Windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0x0 to 0x7FF, then delete this region and save. Then put osos.out into /.boot/AppleOS.bin ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 3fcefdf2b4906220f3338b45e1a5497b9f05689e 0 173 4025 3302 2011-10-18T23:27:46Z User890104 124 wikitext text/x-wiki Note: I'm not that great of a formatter so please edit to make this look neat and nice. Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer ---- Anyway to the main topic of this page. These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version. Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod: First install rockbox. == Windows Instructions: == Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop. Then press windows key+R type: "cmd" (without quotes) and press enter. Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop. Now type the following into the windows that poped up when you typed cmd and then enter: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg Now wait for the program to finish. Now on your Desktop you should see a new file. Boot your ipod to disk mode. Copy your new file to your iPod Nano 2G. Reboot your ipod to rockbox and click files and click on your movie file and it should play. == Linux Instructions: == Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink] First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg. Now put your video file in a directory. Open up terminal and navigate to the directory of your video file. Type the following: ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg ''Note: If libmp3lame doesn't work use just mp3.'' Now copy the resulting video file to your iPod Nano 2G. In rockbox navigate to your file and play it. == Several Notes == To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view. Your videos might take some time to convert. 309e7b7998918c1e24b68f065a6af26aad0e701a 0 343 4026 3818 2011-10-19T13:46:21Z User890104 124 wikitext text/x-wiki <small>'''''Note''': this guide has been translated to other language by various [[emCORE]] users. We are linking to their translations to make installing easier, if you understand that language better than English. <span style="color: #f00;">'''WE DO NOT SUPPORT THESE GUIDES AND ARE IN NO WAY AFFILIATED TO THEIR AUTHORS.'''</span>'' * [http://www.avenegra.org/2011/05/rockbox-en-ipod-classic/ Spanish] * [http://shishikai.blog9.fc2.com/blog-entry-92.html Japanese] English guide follows: </small> Is there already a third party firmware installed on your iPod? (Does it show anything else but an Apple logo during boot?) * [[EmCORE Installation/iPodClassic/ThirdParty|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]] a7275a812af6764e5bdc54577199d27a67abcff4 0 350 4027 3906 2011-10-19T15:27:03Z User890104 124 wikitext text/x-wiki * Make sure that you have python 2.6 or 2.7, libusb and pyusb >=1.0.0a0 installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] or check out our [[SVN]] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for about 12 seconds. It will start to reboot after 5 seconds, but keep holding the buttons until it seems to power off completely. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 32bc0c3cdbaf8a967990a7c12ef9d36d052dab6f 4030 4027 2011-10-24T20:38:03Z User890104 124 wikitext text/x-wiki * Make sure that you have python 2.6 or 2.7, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] or check out our [[SVN]] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for about 12 seconds. It will start to reboot after 5 seconds, but keep holding the buttons until it seems to power off completely. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 7f9d6ee487ad74a328a9ac1a8cac23d9cad56188 0 366 4032 3923 2011-10-25T23:39:20Z User890104 124 wikitext text/x-wiki Fastboot is an [[emCORE]] application, that runs [http://www.rockbox.org/ Rockbox] as soon as the device is powered on. It is preferred by many users, and it is not so hard to install. '''Nano 2G users''': If you mainly use Apple's firmware and would like to "fastboot" into it, please ask on IRC for a modified fastboot build that boots OF<ref name="OF">'''OF''' stands for '''Original firmware'''</ref> instead. ==Usage== *To boot [http://www.rockbox.org/ Rockbox] with fastboot installed, just power your iPod on. *To launch the boot menu instead, '''hold''' any key while your iPod is turning on until you see the menu. ==Installation== <span style="color: #f00; font-size: 16px;">'''WARNING: Always use the same version of [[emCORE]] and fastboot! Mixing up versions may lead to a condition where your iPod won't boot, and would require recovering with an additional set of tools!'''</span> Installing fastboot is actually done by copying '''fastboot.emcoreapp''' under the name '''init.emcoreapp''' to a folder named '''.boot''' in the root folder of your iPod's flash memory/hard drive. Here are some instructions how to do that on different OSes<ref name="OS">'''OS''' stands for '''Operating system'''</ref>. ===Windows=== ''It is not possible to create such folder using Windows's GUI<ref name="GUI">'''GUI''' stands for '''Graphical user inferface'''</ref>.'' # Connect your iPod in OF<ref name="OF" />, [http://www.rockbox.org/ Rockbox] or Disk mode so it appears in My computer as a storage device. Note the drive letter (for example, '''F:'''). # Open '''Command prompt''' (Start -> Programs -> Accessories -> Command prompt). # Enter the drive letter from step 1 with the colon at the end and press Enter. # Enter the following commands: cd / mkdir .boot Next, download the fastboot application that matches your emCORE version to the newly created '''.boot''' folder in your iPod. Don't forget to rename it to '''init.emcoreapp''' or it won't be loaded at all. ===Linux=== ''Since files starting with dot are hidden on Linux by default, you need to either show them (in your favourite file manager's options) or use the command line.'' An example to copy the file using the command line would be: mkdir -p /media/'''<your iPod's name>'''/.boot cp ~/Downloads/fastboot.emcoreapp /media/'''<your iPod's name>'''/.boot/init.emcoreapp ===Mac OS X=== ''Files starting with dot are hidden by default, so you need to either use the '''Terminal''' application, or change a system preference in order to show them'' An example to copy the file using the '''Terminal''' would be: mkdir -p /Volumes/'''<your iPod's name>'''/.boot cp ~/Downloads/fastboot.emcoreapp /Volumes/'''<your iPod's name>'''/.boot/init.emcoreapp ==References== <references /> b6d17c6e99895938183a7e24151db4b6a75a3dfa 1 358 4041 3937 2011-10-27T06:02:40Z Tobolsk2002 350 /* Do not play video */ new section wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) and where the standard software? You can make so that it too was that?[[User:Yar_Chi|Yar_Chi]] 20:30 , 5 April 2011 (UTC) == ATA error: -11 == When i click on rockbox i get this error. Is there anyway to fix this? I just installed EmCORE. : For others this was caused by a too old RockBox, so you might wan't to try upgrading it. --[[User:Benedikt93|Benedikt93]] 08:16, 10 April 2011 (UTC) == Unable to restore Apple firmware on iPod Classic 1G == I need to revert to the Apple firmware but I am unable to enter DFU mode anymore. I tried following the instructions for the Classic here: http://www.freemyipod.org/wiki/EmCORE_Uninstallation But the iPod just endlessly resets if I hold down the Menu and Select buttons. Can a uninstall EmCORE option be put in the tools menu like the Nano 2g version? Thanks. :Did you plug in your iPod to your computer? Are you sure that you've been holding the combo for 10 seconds continuously? Adding an uninstall option in the menu wouldn't help at all BTW: You would have to restore with iTunes anyway which is only possible through DFU mode on the classic. The classic uninstallation is actually an '''improvement''' over the one used for the nano 2g. --[[User:Farthen|Farthen]] 11:57, 30 June 2011 (UTC) == Do not play video == Ipod Classic 80GB did everything according to instructions, everything was installed, it works! but does not play video, not to see all files avi, game Doom in the startup process hangs on init video. What should I do? b242716518ff1db76d70f3352b1bec6c3b666ff4 1 358 4042 4041 2011-10-27T09:47:21Z User890104 124 wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) and where the standard software? You can make so that it too was that?[[User:Yar_Chi|Yar_Chi]] 20:30 , 5 April 2011 (UTC) == ATA error: -11 == When i click on rockbox i get this error. Is there anyway to fix this? I just installed EmCORE. : For others this was caused by a too old RockBox, so you might wan't to try upgrading it. --[[User:Benedikt93|Benedikt93]] 08:16, 10 April 2011 (UTC) == Unable to restore Apple firmware on iPod Classic 1G == I need to revert to the Apple firmware but I am unable to enter DFU mode anymore. I tried following the instructions for the Classic here: http://www.freemyipod.org/wiki/EmCORE_Uninstallation But the iPod just endlessly resets if I hold down the Menu and Select buttons. Can a uninstall EmCORE option be put in the tools menu like the Nano 2g version? Thanks. :Did you plug in your iPod to your computer? Are you sure that you've been holding the combo for 10 seconds continuously? Adding an uninstall option in the menu wouldn't help at all BTW: You would have to restore with iTunes anyway which is only possible through DFU mode on the classic. The classic uninstallation is actually an '''improvement''' over the one used for the nano 2g. --[[User:Farthen|Farthen]] 11:57, 30 June 2011 (UTC) == Do not play video == Ipod Classic 80GB did everything according to instructions, everything was installed, it works! but does not play video, not to see all files avi, game Doom in the startup process hangs on init video. What should I do? :# Rockbox supports only MPEG: [http://www.rockbox.org/wiki/PluginMpegplayer PluginMpegplayer] I'm not sure if it's implemented on the classics, you can give it a try with a sample file (encoding settings for iPod Video) :# Doom is known to be broken on the classics and is not fixed yet : --[[User:User890104|User890104]] 09:47, 27 October 2011 (UTC) e8a1c9fc8ddffb1b376a6e3f4cfc317967ec6bfc 4043 4042 2011-10-27T09:54:17Z User890104 124 wikitext text/x-wiki ==Autoboot== Is there any way to modify the config so that Rockbox boots automatically after (far example) 10 seconds? [[User:Wintermute|Wintermute]] 13:41, 5 April 2011 (UTC) : there is [[Fastboot]] which boots Rockbox as soon as the ipod is powered on --[[User:User890104|User890104]] 09:54, 27 October 2011 (UTC) == Original firmware == and where the standard software? You can make so that it too was that?[[User:Yar_Chi|Yar_Chi]] 20:30 , 5 April 2011 (UTC) : it is still not supported, it might be possible to have it working in the future --[[User:User890104|User890104]] 09:54, 27 October 2011 (UTC) == ATA error: -11 == When i click on rockbox i get this error. Is there anyway to fix this? I just installed EmCORE. : For others this was caused by a too old RockBox, so you might wan't to try upgrading it. --[[User:Benedikt93|Benedikt93]] 08:16, 10 April 2011 (UTC) == Unable to restore Apple firmware on iPod Classic 1G == I need to revert to the Apple firmware but I am unable to enter DFU mode anymore. I tried following the instructions for the Classic here: http://www.freemyipod.org/wiki/EmCORE_Uninstallation But the iPod just endlessly resets if I hold down the Menu and Select buttons. Can a uninstall EmCORE option be put in the tools menu like the Nano 2g version? Thanks. :Did you plug in your iPod to your computer? Are you sure that you've been holding the combo for 10 seconds continuously? Adding an uninstall option in the menu wouldn't help at all BTW: You would have to restore with iTunes anyway which is only possible through DFU mode on the classic. The classic uninstallation is actually an '''improvement''' over the one used for the nano 2g. --[[User:Farthen|Farthen]] 11:57, 30 June 2011 (UTC) == Do not play video == Ipod Classic 80GB did everything according to instructions, everything was installed, it works! but does not play video, not to see all files avi, game Doom in the startup process hangs on init video. What should I do? :# Rockbox supports only MPEG: [http://www.rockbox.org/wiki/PluginMpegplayer PluginMpegplayer] I'm not sure if it's implemented on the classics, you can give it a try with a sample file (encoding settings for iPod Video) :# Doom is known to be broken on the classics and is not fixed yet : --[[User:User890104|User890104]] 09:47, 27 October 2011 (UTC) 002112726879f52c21d1a825dd3695bd89745029 1 391 4047 2011-10-30T12:54:13Z Robert 354 Created page with "Audio-codec ? How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the..." wikitext text/x-wiki Audio-codec ? How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? d6f3da95b8bdf339581b2e1c1f9dd9cb13b8c05b 4048 4047 2011-10-30T12:55:06Z Robert 354 wikitext text/x-wiki Audio-codec ? How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? b29fde125b06039611f903192fae8b65a247a64e 4049 4048 2011-10-30T14:18:03Z Robert 354 /* Audio-codec ? */ new section wikitext text/x-wiki Audio-codec ? How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? == Audio-codec ? == How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? 00c6abcb0a88d03a3c00b07ba2947465c7e9df61 4050 4049 2011-10-30T14:18:21Z Robert 354 wikitext text/x-wiki == Audio-codec ? == How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? 4d1e3dfa3608b7f396f6e25a10ab90f37d911845 4051 4050 2011-10-30T19:18:58Z TheSeven 13 /* Audio-codec ? */ wikitext text/x-wiki == Audio-codec ? == How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? :I doubt that it's a Cirrus one. The nano 3G uses the same SoC as the classic, but the power manager and audio codec seems to be different. A quick glance shows neither evidence of Wolfson or Cirrus, so feel free to dig into the disassemblies to find out more. --[[User:TheSeven|TheSeven]] 19:18, 30 October 2011 (UTC) 5ccda28d37ff32eaa41cd3d09dc466e1552ca207 4052 4051 2011-10-31T18:48:46Z Robert 354 wikitext text/x-wiki == Audio-codec ? == How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? "Robert 18:48, 31 October 2011 (UTC)" :I doubt that it's a Cirrus one. The nano 3G uses the same SoC as the classic, but the power manager and audio codec seems to be different. A quick glance shows neither evidence of Wolfson or Cirrus, so feel free to dig into the disassemblies to find out more. --[[User:TheSeven|TheSeven]] 19:18, 30 October 2011 (UTC) 664b1cc38ba67ab58fecd0115963640e1f5c1a3d 4053 4052 2011-10-31T18:50:35Z Robert 354 wikitext text/x-wiki == Audio-codec ? == How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? [[User:Robert|Robert]] 18:48, 31 October 2011 (UTC)" :I doubt that it's a Cirrus one. The nano 3G uses the same SoC as the classic, but the power manager and audio codec seems to be different. A quick glance shows neither evidence of Wolfson or Cirrus, so feel free to dig into the disassemblies to find out more. --[[User:TheSeven|TheSeven]] 19:18, 30 October 2011 (UTC) ff6ef2e99cc1bfa6ab126fc2bf7c1be1737bce73 4055 4053 2011-10-31T18:54:42Z Robert 354 wikitext text/x-wiki == Audio-codec ? == How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? [[User:Robert|Robert]] 18:48, 31 October 2011 (UTC)" :I doubt that it's a Cirrus one. The nano 3G uses the same SoC as the classic, but the power manager and audio codec seems to be different. A quick glance shows neither evidence of Wolfson or Cirrus, so feel free to dig into the disassemblies to find out more. --[[User:TheSeven|TheSeven]] 19:18, 30 October 2011 (UTC) : I will dig in, as time permits . But, You agree that there is no actual proof of what codec the 3G-Nano uses ? [[User:Robert|Robert]] 04ae6c6d3502ca7b7ec1862d61a6f78823153b09 4056 4055 2011-10-31T18:56:21Z Robert 354 wikitext text/x-wiki == Audio-codec ? == How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? [[User:Robert|Robert]] 18:48, 31 October 2011 (UTC)" :I doubt that it's a Cirrus one. The nano 3G uses the same SoC as the classic, but the power manager and audio codec seems to be different. A quick glance shows neither evidence of Wolfson or Cirrus, so feel free to dig into the disassemblies to find out more. --[[User:TheSeven|TheSeven]] 19:18, 30 October 2011 (UTC) I will dig in, as time permits . But, You agree that there is no actual proof of what codec the 3G-Nano uses ? [[User:Robert|Robert]] 8729a6fad50c2ad04b14d0aec7ee665bbd2c878a 4057 4056 2011-10-31T21:34:31Z User890104 124 wikitext text/x-wiki == Audio-codec ? == How do we actually know that the 3G-nano uses WM1870 ? The only references to this chip on the internets are on ipod-liberating sites who all seem to be quoting the same single source. There is no mentioning of this chip on the 'wolfson'-site, no data-sheets to be found anywhere, etc etc .. Doesn't it make more business-sense that the nano 3G would use the same codec as the other ipod released in 2007 ('Classic')? [[User:Robert|Robert]] 18:48, 31 October 2011 (UTC)" :I doubt that it's a Cirrus one. The nano 3G uses the same SoC as the classic, but the power manager and audio codec seems to be different. A quick glance shows neither evidence of Wolfson or Cirrus, so feel free to dig into the disassemblies to find out more. --[[User:TheSeven|TheSeven]] 19:18, 30 October 2011 (UTC) ::I will dig in, as time permits . ::But, You agree that there is no actual proof of what codec the 3G-Nano uses ? ::[[User:Robert|Robert]] 0a0bad799907414197b5c797a2024dd29f4c0306 2 392 4054 2011-10-31T18:51:52Z Robert 354 Created page with "Robert : Owner of a 3G-Nano and a 120GB Classic running emCore/Rockbox.." wikitext text/x-wiki Robert : Owner of a 3G-Nano and a 120GB Classic running emCore/Rockbox.. daa8ad71325ee1e3f5ff03aaa8036948036b1ec8 0 350 4059 4030 2011-11-03T07:31:41Z User890104 124 wikitext text/x-wiki * Make sure that you have python 2.6 or 2.7, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] or check out our [[SVN]] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for about 12 seconds. It will start to reboot after 5 seconds, but keep holding the buttons until it seems to power off completely. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next create a mount point e.g. 'mkdir -p /media/disk' and mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 0d3a07eca78cc68a730755669ab2d4ad07d5c4b4 2 328 4062 3994 2011-11-04T18:27:59Z User890104 124 wikitext text/x-wiki My name is Vencislav Atanasov. I am from Bulgaria. I enjoy writing pieces of software, mainly to improve my experience and knowledge. I own some iPods - a 2G Nano, a 3G Nano, a 4G Nano and a 120GB Classic. I am providing the project with iPod Nano 2G and iPod classic emCORE installer builds, which are not suitable for everyday use, but if you feel adventurous, you can try them on your device. Detailed instruction on how to do this are available in the wiki. The binaries can be found at http://builds.freemyipod.org/ I am also working on a project that would provide easy access to iPod's internal storage using emCORE's monitor protocol, libusb and FUSE. It is working somehow, but it's still incomplete and needs to be optimised. If you are curious about my current progress, you can check it out at [http://svn.freemyipod.org/emcore/trunk/tools/emcorefs/ the SVN] I would be happy to help anyone who has issues with his emCORE installation on a Nano 2G (because I have a device of that model). Please ask in the IRC channel, and if I am available, I'll try to answer your question. [[File:Signature-user890104.gif]] 6329d2c66c7f8ba12e67e6722787e30e0252d64d 4070 4062 2011-11-12T22:47:39Z User890104 124 wikitext text/x-wiki My name is Vencislav Atanasov. I am from Bulgaria. I enjoy writing pieces of software, mainly to improve my experience and knowledge. I own some iPods - a [[Nano 2G]], a [[Nano 3G]], a [[Nano 4G]] and a [[Classic 2G]]. I am providing the project with iPod Nano 2G and iPod classic [[emCORE]] installer builds, which are not suitable for everyday use, but if you feel adventurous, you can try them on your device. Detailed instruction on how to do this are available in the wiki. The binaries can be found at http://builds.freemyipod.org/ I am also working on a project that would provide easy access to iPod's internal storage using [[emCORE_Monitor_Protocol|emCORE's monitor protocol]], libusb and FUSE. It is working somehow, but it's still incomplete and needs to be optimised. If you are curious about my current progress, you can check it out at [http://svn.freemyipod.org/emcore/trunk/tools/emcorefs/ the SVN] I would be happy to help anyone who has issues with his emCORE installation. Please ask in the support IRC channel, and if I am available, I'll try to answer your question. [[File:Signature-user890104.gif]] 29f49d7414b9d4162a502c91998fed7f72541a4f 0 346 4063 4034 2011-11-07T18:05:51Z User890104 124 reorder stuff wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' <span style="color: #f00;">'''If you use [[Fastboot|fastboot]], always make sure that you don't mix up different versions of emCORE and the fastboot application, because your device might be unable to boot and would need to be recovered with an additional set of tools!'''</span> ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> b280238cf7a1ec2e84167725ed1f1afaadbbfe2f 0 116 4065 3920 2011-11-09T02:27:32Z User890104 124 wikitext text/x-wiki {{outdated|reason=Starting August 3, 2010, development of iBugger has stopped in favor of a more useful debugger in [[emCORE]].}} [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://theseven.freemyipod.org/download/snapshot-201003100612-public.7z here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger releases for the 2G and 4G Nanos. 96efbc13d6c78676538f2b9f1606140d75a12b4e 3 397 4066 2011-11-10T00:58:18Z Dexmaster 363 Created page with "Just in case, sorry if I'm posting in inappropriate place. But found topic "discussion" close enough for this question. I have iPod Nano(3g) 3 years or so, after some time I foun..." wikitext text/x-wiki Just in case, sorry if I'm posting in inappropriate place. But found topic "discussion" close enough for this question. I have iPod Nano(3g) 3 years or so, after some time I found out it's hard to crack, later that it's close to some iPod Classic (with few details from nano). Now I found out that on SVN in r779 there is emCORE for ipodnano3g. The question is: On which phase of creation is this emCORE or is it functional? (Could you give at least general answer to question: How long it will take to finish it?) Thanks a lot! Sorry for trouble. ca1794a72776ff8cc7ec8f56b2770ab56dde552e 4067 4066 2011-11-10T15:39:24Z User890104 124 wikitext text/x-wiki Just in case, sorry if I'm posting in inappropriate place. But found topic "discussion" close enough for this question. I have iPod Nano(3g) 3 years or so, after some time I found out it's hard to crack, later that it's close to some iPod Classic (with few details from nano). Now I found out that on SVN in r779 there is emCORE for ipodnano3g. The question is: On which phase of creation is this emCORE or is it functional? (Could you give at least general answer to question: How long it will take to finish it?) Thanks a lot! Sorry for trouble. :The nano 3g port is so broken at the moment, there is no code that have been run on this device so far (except an SRAM [[iBugger]] from DFU mode, which can't do much). The next step is to write init code for the bigger SDRAM. As you can see on [[Status]], some drivers have not been written yet. --[[User:User890104|User890104]] 15:39, 10 November 2011 (UTC) 0da4b632e1c3dc57e48d7019926e89cd69471a56 4079 4067 2011-11-16T17:03:22Z Dexmaster 363 wikitext text/x-wiki Just in case, sorry if I'm posting in inappropriate place. But found topic "discussion" close enough for this question. I have iPod Nano(3g) 3 years or so, after some time I found out it's hard to crack, later that it's close to some iPod Classic (with few details from nano). Now I found out that on SVN in r779 there is emCORE for ipodnano3g. The question is: On which phase of creation is this emCORE or is it functional? (Could you give at least general answer to question: How long it will take to finish it?) Thanks a lot! Sorry for trouble. :The nano 3g port is so broken at the moment, there is no code that have been run on this device so far (except an SRAM [[iBugger]] from DFU mode, which can't do much). The next step is to write init code for the bigger SDRAM. As you can see on [[Status]], some drivers have not been written yet. --[[User:User890104|User890104]] 15:39, 10 November 2011 (UTC) ::Thanks, but it's bad, I hoped it's on some better stage of development. :D It's quite good as it is, but I'd prefer to upload music through normal means *(not itunes or mediamonkey. 8251a84e5d6b780dd440aa8c6679439d61fa6f77 6 398 4068 2011-11-12T17:16:39Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 50 4069 4009 2011-11-12T17:19:35Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer: [[Status]] # Follow the installation instructions: [[emCORE Installation]] # Report any bugs you encountered to us: [[Contact]] ==Updates== * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] <!-- *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |} 65b2626326e1910cea0dcb5c642fe9dd5334183d 4084 4069 2011-11-18T18:29:57Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer: [[Status]] # Follow the installation instructions: [[emCORE Installation]] # Report any bugs you encountered to us: [[Contact]] ==Updates== * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] <!-- *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[Fastboot|emCORE Fastboot]] ** [[emCOREFS]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} e53cd4cf1882902303f5713f6501a5a33d4cab3b 2 399 4071 2011-11-14T10:48:53Z MSaki 365 Created page with "Ipod nano 2nd and 4th gen (i wish to crack 4th gen nano to run rockbox some day) 6 ipods for ability to force to death if needed 1 ipod nano 4th gen 2 ipod nano 1st gen 2 ipo..." wikitext text/x-wiki Ipod nano 2nd and 4th gen (i wish to crack 4th gen nano to run rockbox some day) 6 ipods for ability to force to death if needed 1 ipod nano 4th gen 2 ipod nano 1st gen 2 ipod nano 2nd gen 1 ipod nano 3rd gen ofc ipods 2nd gen can run a fully flashed emcore. Ipod nano 4th gen cannot be flashed exactly i thought i saw something that was flasher related on a old google code somewhere but i still haven't re found the page yet. I <3 ipod nano 4th gen also love python so feel free to ask for help. Night guys have a great thanks giving :) 712f126212290423b2495540b65c515c8d4c86b7 1 400 4072 2011-11-15T01:25:49Z Binavik 56 Created page with "I followed iLoader's installation instructions, replacing the .ipodx files, and after I ejected the iPod, I get a white screen with "emCORE v0.2.2 r708" at the top. I left it alo..." wikitext text/x-wiki I followed iLoader's installation instructions, replacing the .ipodx files, and after I ejected the iPod, I get a white screen with "emCORE v0.2.2 r708" at the top. I left it alone for about a half hour and nothing happened. Should I be using the .ubi and .bootnote files too, if so then what do I do with them. --binavik dfee0ed68d74c45c7b30337dc5a88fe05f1b80f1 4076 4072 2011-11-15T19:53:02Z User890104 124 wikitext text/x-wiki I followed iLoader's installation instructions, replacing the .ipodx files, and after I ejected the iPod, I get a white screen with "emCORE v0.2.2 r708" at the top. I left it alone for about a half hour and nothing happened. Should I be using the .ubi and .bootnote files too, if so then what do I do with them. --binavik :You should use iLoader instead. Or join our support IRC channel and we could porvide you with alternative solutions --[[User:User890104|User890104]] 19:53, 15 November 2011 (UTC) 2652afdfea03953cf83a4b7532618423320af7ea 1 401 4073 2011-11-15T16:40:40Z Robert 354 1G/2G/3G Classic HDD-layout wikitext text/x-wiki == 1G/2G/3G Classic HDD-layout == I'm pretty certain there is a HPA/DCO on those drives, and that ATA pw is set . Also, when viewing the physical disk of my emCore'd Classic in win-hex (over USB) there is a 120MB entry,listed as "FAT1" , and the technical report complains that " FAT1 < FAT2 " . But the disk needs to be connected to a proper controller for any accurate results .. (Why the super-floppy formatting btw ?) ff4f5161fae5b7fde23b311cb2271e19f541189d 4074 4073 2011-11-15T16:40:57Z Robert 354 /* 1G/2G/3G Classic HDD-layout */ wikitext text/x-wiki == 1G/2G/3G Classic HDD-layout == I'm pretty certain there is a HPA/DCO on those drives, and that ATA pw is set . Also, when viewing the physical disk of my emCore'd Classic in win-hex (over USB) there is a 120MB entry,listed as "FAT1" , and the technical report complains that " FAT1 < FAT2 " . But the disk needs to be connected to a proper controller for any accurate results .. (Why the super-floppy formatting btw ?) d604485e7d13eecff145ce28c02f110fe312ebaa 4075 4074 2011-11-15T16:41:58Z Robert 354 /* 1G/2G/3G Classic HDD-layout */ wikitext text/x-wiki == 1G/2G/3G Classic HDD-layout == I'm pretty certain there is a HPA/DCO on those drives, and that ATA pw is set . Also, when viewing the physical disk of my emCore'd Classic in win-hex (over USB) there is a 120MB entry,listed as "FAT1", and the technical report complains that " FAT1 < FAT2 " . But the disk needs to be connected to a proper controller for any accurate results .. (Why the super-floppy formatting btw ?) Robert c0f102ee6442af88ee5c0b641f1f1a0eb0fc0765 4077 4075 2011-11-15T20:04:38Z TheSeven 13 wikitext text/x-wiki == 1G/2G/3G Classic HDD-layout == I'm pretty certain there is a HPA/DCO on those drives, and that ATA pw is set . :There definitely is no ATA password, and I don't know of an HPA. I'm not even sure if the CE-ATA drive supports HPAs. The hiding of the firmware partition is most likely done by the iPod firmware. --[[User:TheSeven|TheSeven]] 20:04, 15 November 2011 (UTC) Also, when viewing the physical disk of my emCore'd Classic in win-hex (over USB) there is a 120MB entry,listed as "FAT1", and the technical report complains that " FAT1 < FAT2 " . But the disk needs to be connected to a proper controller for any accurate results .. :emCORE/Rockbox is a proper controller for that kind of operation. And WinHEX has a lot of problems with non-512 byte sectors, causing it to miscalculate a bunch of sector numbers. --[[User:TheSeven|TheSeven]] 20:04, 15 November 2011 (UTC) (Why the super-floppy formatting btw ?) Robert :What would a partition table be good for? Superfloppy seems like the straight-forward choice to me. --[[User:TheSeven|TheSeven]] 20:04, 15 November 2011 (UTC) 22f3699fb5e362969a5f66e0aa023ffbb63ea47a 3 404 4081 2011-11-17T05:47:47Z MSaki 365 Created page with "All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th ge..." wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight 3f3877f3fa96b4c8e5eec2fe5b8ddf879d9a2468 4082 4081 2011-11-17T13:57:15Z User890104 124 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) 08641a1486610c118cb2294df2e576db1524152f 4087 4082 2011-11-19T08:02:35Z MSaki 365 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) already have as iv been around for a while xD wouldn't count them as problems really 5aba47b3ce2db1dfdaf4aa7d1ab007f966364b5b 4088 4087 2011-11-19T08:04:12Z MSaki 365 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) already have as iv been around for a while on irc freednode and rizon xD wouldn't count them as problems really Whats with all the food posts ?? thats just strange xD 2e780c77a27d146813c4008c27aef522464972c2 4089 4088 2011-11-19T13:20:05Z User890104 124 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) already have as iv been around for a while on irc freednode and rizon xD wouldn't count them as problems really Whats with all the food posts ?? thats just strange xD :Stupid spammers... :) --[[User:User890104|User890104]] 13:20, 19 November 2011 (UTC) 5a9f44a7e5001fd63a2211b84df964dabf0f33ed 4093 4089 2011-11-20T09:15:04Z MSaki 365 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) already have as iv been around for a while on irc freednode and rizon xD wouldn't count them as problems really Whats with all the food posts ?? thats just strange xD :Stupid spammers... :) --[[User:User890104|User890104]] 13:20, 19 November 2011 (UTC) ah i was wondering what that was. oh i see some new builds to check out brb. af9fba1844582be00b2289495e77b41983b7464e 4094 4093 2011-11-20T10:53:30Z User890104 124 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) already have as iv been around for a while on irc freednode and rizon xD wouldn't count them as problems really Whats with all the food posts ?? thats just strange xD :Stupid spammers... :) --[[User:User890104|User890104]] 13:20, 19 November 2011 (UTC) ah i was wondering what that was. oh i see some new builds to check out brb. :There aren't much changes to emcore itself, more likely to the tools. Just curious, what is your IRC name? eceb3d6e72497abb9da1d63eb3d605f00ed4b1b5 4095 4094 2011-11-20T10:53:43Z User890104 124 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) already have as iv been around for a while on irc freednode and rizon xD wouldn't count them as problems really Whats with all the food posts ?? thats just strange xD :Stupid spammers... :) --[[User:User890104|User890104]] 13:20, 19 November 2011 (UTC) ah i was wondering what that was. oh i see some new builds to check out brb. :There aren't much changes to emcore itself, more likely to the tools. Just curious, what is your IRC name? --[[User:User890104|User890104]] 10:53, 20 November 2011 (UTC) 30a10e8ecd7fcaab20a2351260c818b12ee6d3bc 4096 4095 2011-11-21T11:29:41Z MSaki 365 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) already have as iv been around for a while on irc freednode and rizon xD wouldn't count them as problems really Whats with all the food posts ?? thats just strange xD :Stupid spammers... :) --[[User:User890104|User890104]] 13:20, 19 November 2011 (UTC) ah i was wondering what that was. oh i see some new builds to check out brb. :There aren't much changes to emcore itself, more likely to the tools. Just curious, what is your IRC name? --[[User:User890104|User890104]] 10:53, 20 November 2011 (UTC) lmao MSaki same as here. surprised that i was still reged there as it was 1 year ago and i came back about 2 months ago c251f0a71cd887ee99e61fdffbacfacf0c298734 4097 4096 2011-11-21T11:30:51Z MSaki 365 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) already have as iv been around for a while on irc freednode and rizon xD wouldn't count them as problems really Whats with all the food posts ?? thats just strange xD :Stupid spammers... :) --[[User:User890104|User890104]] 13:20, 19 November 2011 (UTC) ah i was wondering what that was. oh i see some new builds to check out brb. :There aren't much changes to emcore itself, more likely to the tools. Just curious, what is your IRC name? --[[User:User890104|User890104]] 10:53, 20 November 2011 (UTC) lmao MSaki same as here. surprised that i was still reged there as it was 1 year ago and i came back about 2 months ago. cant wait for the day ipod nano 4th gen can have emcore flashed to it..one day... acb414ffadc0bc9fb05e83c2ee518095cfcc3b89 4098 4097 2011-11-21T11:42:31Z MSaki 365 wikitext text/x-wiki All newer emcore builds tested never get past console or panic. 765 works but all above crash after install, requiring python to re install via recovery method. ipod nano 4th gen works great with quite a few emcore builds but i can never get it to load it fully sometimes. so far iv found that ipod nano 2nd gen + emcore 765 is working quite well nothing iv seen wrong at all yet. feel like getting crazy and digging / sniffing for pinouts on all my ipods mobos for curiosity GoodNight :Hello, please join our IRC channel if you have problems with any of the builds, and for more detailed information. --[[User:User890104|User890104]] 13:57, 17 November 2011 (UTC) already have as iv been around for a while on irc freednode and rizon xD wouldn't count them as problems really Whats with all the food posts ?? thats just strange xD :Stupid spammers... :) --[[User:User890104|User890104]] 13:20, 19 November 2011 (UTC) ah i was wondering what that was. oh i see some new builds to check out brb. :There aren't much changes to emcore itself, more likely to the tools. Just curious, what is your IRC name? --[[User:User890104|User890104]] 10:53, 20 November 2011 (UTC) lmao My Nick is MSaki, i pop in and out on #defocus and also #freemyipod same as here. surprised that i was still reged there as it was 1 year ago and i came back about 2 months ago. guess they didn't remove my nick or there is no restriction set (glitch?) cant wait for the day ipod nano 4th gen can have emcore flashed to it..one day... have a great day cya later. 18960ee7f985c721d3af2f95d7b85b1b53542ff7 0 377 4083 3997 2011-11-17T17:18:35Z User890104 124 wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is not yet complete, but most features are done. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC/Make 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 5. maybe other packages ===Compiling=== make - standard build, no debug messages, only fatal errors on startup are shown. make debug - debug build, some debug/error messages are shown. libusb debug messages are enabled, too. ===Testing=== make test - run the build without FUSE debugging messages, going into the background if it connects to the device successfully. make testdebug - run the build in the foreground, showing FUSE debug messages in the terminal. ==Running== You need FUSE >= 2.8 installed. Currently only tested on Linux (Ubuntu 11.04 in my case). Maybe an OSX-compatible version would appear at some point. Starting: ./emcorefs <mountpoint> Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Write support not tested very well. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. 0203a2b04419cf4af8e6b2b788c19b533a15374c 4085 4083 2011-11-18T18:32:30Z User890104 124 wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is not yet complete, but most features are done. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC/Make 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 5. maybe other packages ===Compiling=== make - standard build, no debug messages, only fatal errors on startup are shown. make debug - debug build, some debug/error messages are shown. libusb debug messages are enabled, too. ===Testing=== make test - run the build without FUSE debugging messages, going into the background if it connects to the device successfully. make testdebug - run the build in the foreground, showing FUSE debug messages in the terminal. ==Running== You need FUSE >= 2.8 installed. Currently tested on Linux (Ubuntu 11.04) and Mac OS X (10.6.8). Starting: ./emcorefs <mountpoint> Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Write support not tested very well. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. a6d9f1e09bc2820e9e5733d550e6386ff0efc6bd 4086 4085 2011-11-18T18:46:05Z User890104 124 wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is not yet complete, but most features are done. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC/Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Compiling=== make - standard build, no debug messages, only fatal errors on startup are shown. make debug - debug build, some debug/error messages are shown. libusb debug messages are enabled, too. ===Testing=== make test - run the build without FUSE debugging messages, going into the background if it connects to the device successfully. make testdebug - run the build in the foreground, showing FUSE debug messages in the terminal. ==Running== You need FUSE >= 2.8 installed. Currently tested on Linux (Ubuntu 11.04) and Mac OS X (10.6.8). Starting: ./emcorefs <mountpoint> Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Write support not tested very well. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. 8631445d57d4bf94584cf6719752ace509997e94 4090 4086 2011-11-19T14:14:08Z User890104 124 wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is not yet complete, but most features are done. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC/Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Compiling=== * standard build, no debug messages, only fatal errors on startup are shown. make * debug build, some debug/error messages are shown. libusb debug messages are enabled, too. make debug You can prefix any of these with CFLAGS="-DDEBUG_USB_PACKETS" in order to have a dump of the usb traffic that's being sent and received. ===Testing=== * run the build without FUSE debugging messages, going into the background if it connects to the device successfully. make test * run the build in the foreground, showing FUSE debug messages in the terminal. make testdebug ==Running== You need FUSE >= 2.8 installed. Currently tested on Linux (Ubuntu 11.04) and Mac OS X (10.6.8). * Starting: ./emcorefs <mountpoint> * Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Write support not tested very well. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. f59922d840b45a45e940ff23d949304de6ab10b0 4091 4090 2011-11-19T14:17:17Z User890104 124 wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is not yet complete, but most features are done. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC/Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Compiling=== * standard build, no debug messages, only fatal errors on startup are shown. make * debug build, some debug/error messages are shown. libusb debug messages are enabled, too. make debug You can prefix any of these with CFLAGS="-DDEBUG_USB_PACKETS" in order to have a dump of the usb traffic that's being sent and received. ===Testing=== * run the build without FUSE debugging messages, going into the background if it connects to the device successfully. make test * run the build in the foreground, showing FUSE debug messages in the terminal. make testdebug ==Running== You need FUSE >= 2.8 installed. (or fuse4x on x64 OS X) Currently tested on Linux (Ubuntu 11.04) and Mac OS X (10.6.8). * Starting: ./emcorefs <mountpoint> * Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Write support not tested very well. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. dfbb830fe18da22354bfea2272f5a734f090edaa 4092 4091 2011-11-19T14:17:39Z User890104 124 wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is not yet complete, but most features are done. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC/Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Compiling=== * standard build, no debug messages, only fatal errors on startup are shown. make * debug build, some debug/error messages are shown. libusb debug messages are enabled, too. make debug You can prefix any of these with CFLAGS="-DDEBUG_USB_PACKETS" in order to have a dump of the usb traffic that's being sent and received. ===Testing=== * run the build without FUSE debugging messages, going into the background if it connects to the device successfully. make test * run the build in the foreground, showing FUSE debug messages in the terminal. make testdebug ==Running== You need FUSE >= 2.8 installed. (or fuse4x on x64 OS X) Currently tested on Linux (Ubuntu 11.04 x86) and Mac OS X (10.6.8 x64). * Starting: ./emcorefs <mountpoint> * Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Write support not tested very well. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. 6df4f965a9bd9dfed36c411b118546ba26a09128 3 405 4099 2011-11-22T09:03:43Z MSaki 365 Created page with "seems like Project summary has gone dead boss :)" wikitext text/x-wiki seems like Project summary has gone dead boss :) 632a17bdefdc7d88f7de5505b17504272a426067 4100 4099 2011-11-22T09:03:55Z MSaki 365 wikitext text/x-wiki seems like Project summary has gone dead boss :) -MSaki aaec18e29337a4331f54606610b58e940222ef8f 3 405 4101 4100 2011-11-22T09:05:11Z MSaki 365 wikitext text/x-wiki seems like the link in Project summary has gone dead boss :) specifically the link to the pdf is 404 -MSaki 674b1dc130e8bdd5744584e2a6a9f779584a3683 4103 4101 2011-11-22T12:58:30Z User890104 124 wikitext text/x-wiki seems like the link in Project summary has gone dead boss :) specifically the link to the pdf is 404 -MSaki :uhm well i'm not really a "boss", but as you say :) fixed it. --[[User:User890104|User890104]] 12:58, 22 November 2011 (UTC) f5e036f87d9c763301117b74180f54bca82de326 4112 4103 2011-11-23T08:58:53Z MSaki 365 wikitext text/x-wiki seems like the link in Project summary has gone dead boss :) specifically the link to the pdf is 404 -MSaki :uhm well i'm not really a "boss", but as you say :) fixed it. --[[User:User890104|User890104]] 12:58, 22 November 2011 (UTC) sorry to make you feel weird but your a boss to me :) as you seem to be the most active user and have been helping with the builds etc. /me follows you XD on that i saw a old google code page with theseven on it that had some ipod nano 4th gen install samples for python but after i lost my hdd iv been looking for them :( tell me if you see them. cya later b5cf28b59b2d467f93a5ce51b6c6af009acb1f8c 4113 4112 2011-11-23T08:59:19Z MSaki 365 wikitext text/x-wiki seems like the link in Project summary has gone dead boss :) specifically the link to the pdf is 404 -MSaki :uhm well i'm not really a "boss", but as you say :) fixed it. --[[User:User890104|User890104]] 12:58, 22 November 2011 (UTC) sorry to make you feel weird but your a boss to me :) as you seem to be the most active user and have been helping with the builds etc. /me follows you XD on that i saw a old google code page with theseven on it that had some ipod nano 4th gen install samples for python but after i lost my hdd iv been looking for them :( tell me if you see them. cya later e5be5418d73a18ffca88c491cd70d42d5efe7933 4114 4113 2011-11-23T18:23:11Z User890104 124 wikitext text/x-wiki seems like the link in Project summary has gone dead boss :) specifically the link to the pdf is 404 -MSaki :uhm well i'm not really a "boss", but as you say :) fixed it. --[[User:User890104|User890104]] 12:58, 22 November 2011 (UTC) sorry to make you feel weird but your a boss to me :) as you seem to be the most active user and have been helping with the builds etc. /me follows you XD on that i saw a old google code page with theseven on it that had some ipod nano 4th gen install samples for python but after i lost my hdd iv been looking for them :( tell me if you see them. cya later :you might be looking for http://www.freemyipod.org/w/data/theseven/releases/snapshot-201003100612-public.7z :i might be the most active wiki user at the moment, but the others are also doing some important stuff like writing the code. --[[User:User890104|User890104]] 18:23, 23 November 2011 (UTC) 83a2ce67a790c5d6d8bc41c015e988c4f5b25366 4116 4114 2011-11-24T09:12:37Z MSaki 365 wikitext text/x-wiki seems like the link in Project summary has gone dead boss :) specifically the link to the pdf is 404 -MSaki :uhm well i'm not really a "boss", but as you say :) fixed it. --[[User:User890104|User890104]] 12:58, 22 November 2011 (UTC) sorry to make you feel weird but your a boss to me :) as you seem to be the most active user and have been helping with the builds etc. /me follows you XD on that i saw a old google code page with theseven on it that had some ipod nano 4th gen install samples for python but after i lost my hdd iv been looking for them :( tell me if you see them. cya later :you might be looking for http://www.freemyipod.org/w/data/theseven/releases/snapshot-201003100612-public.7z :i might be the most active wiki user at the moment, but the others are also doing some important stuff like writing the code. --[[User:User890104|User890104]] 18:23, 23 November 2011 (UTC) yea one thing thx ill go looking for the others. ~MSaki 7f16862ea6ec138f577a3398f7ccd5a15604fc11 4117 4116 2011-11-24T09:23:34Z MSaki 365 wikitext text/x-wiki seems like the link in Project summary has gone dead boss :) specifically the link to the pdf is 404 -MSaki :uhm well i'm not really a "boss", but as you say :) fixed it. --[[User:User890104|User890104]] 12:58, 22 November 2011 (UTC) sorry to make you feel weird but your a boss to me :) as you seem to be the most active user and have been helping with the builds etc. /me follows you XD on that i saw a old google code page with theseven on it that had some ipod nano 4th gen install samples for python but after i lost my hdd iv been looking for them :( tell me if you see them. cya later :you might be looking for http://www.freemyipod.org/w/data/theseven/releases/snapshot-201003100612-public.7z :i might be the most active wiki user at the moment, but the others are also doing some important stuff like writing the code. --[[User:User890104|User890104]] 18:23, 23 November 2011 (UTC) yea one thing thx ill go looking for the others. also emcore build 817 installed great on my ipod nano 2nd gen. (i was wondering how fast boot worked as i dont notice any type of intergration as of 808 or am i looking in the wrong place xD)~MSaki df20594d2f497daf92000d8bc38a864f883836da 4118 4117 2011-11-24T10:12:19Z User890104 124 wikitext text/x-wiki seems like the link in Project summary has gone dead boss :) specifically the link to the pdf is 404 -MSaki :uhm well i'm not really a "boss", but as you say :) fixed it. --[[User:User890104|User890104]] 12:58, 22 November 2011 (UTC) sorry to make you feel weird but your a boss to me :) as you seem to be the most active user and have been helping with the builds etc. /me follows you XD on that i saw a old google code page with theseven on it that had some ipod nano 4th gen install samples for python but after i lost my hdd iv been looking for them :( tell me if you see them. cya later :you might be looking for http://www.freemyipod.org/w/data/theseven/releases/snapshot-201003100612-public.7z :i might be the most active wiki user at the moment, but the others are also doing some important stuff like writing the code. --[[User:User890104|User890104]] 18:23, 23 November 2011 (UTC) yea one thing thx ill go looking for the others. also emcore build 817 installed great on my ipod nano 2nd gen. (i was wondering how fast boot worked as i dont notice any type of intergration as of 808 or am i looking in the wrong place xD)~MSaki :it's not completely ready yet, and i knew that someone would ask for that. it's implemented on the classics and it's going to be on the nano2g as well. the point is to warn people to not install the fastboot app anymore, because it's know for causing trouble when not used properly (mixing different versions) --[[User:User890104|User890104]] 10:12, 24 November 2011 (UTC) 1968171bbcd7a4fdbb2462674395da43571079e0 0 366 4104 4032 2011-11-22T13:13:24Z User890104 124 wikitext text/x-wiki {{outdated|reason=Since r808, fastboot is discontinued, because its functionality is going to be integrated in the boot menu itself. Please don't install the fastboot app anymore.}} Fastboot is an [[emCORE]] application, that runs [http://www.rockbox.org/ Rockbox] as soon as the device is powered on. It is preferred by many users, and it is not so hard to install. '''Nano 2G users''': If you mainly use Apple's firmware and would like to "fastboot" into it, please ask on IRC for a modified fastboot build that boots OF<ref name="OF">'''OF''' stands for '''Original firmware'''</ref> instead. ==Usage== *To boot [http://www.rockbox.org/ Rockbox] with fastboot installed, just power your iPod on. *To launch the boot menu instead, '''hold''' any key while your iPod is turning on until you see the menu. ==Installation== <span style="color: #f00; font-size: 16px;">'''WARNING: Always use the same version of [[emCORE]] and fastboot! Mixing up versions may lead to a condition where your iPod won't boot, and would require recovering with an additional set of tools!'''</span> Installing fastboot is actually done by copying '''fastboot.emcoreapp''' under the name '''init.emcoreapp''' to a folder named '''.boot''' in the root folder of your iPod's flash memory/hard drive. Here are some instructions how to do that on different OSes<ref name="OS">'''OS''' stands for '''Operating system'''</ref>. ===Windows=== ''It is not possible to create such folder using Windows's GUI<ref name="GUI">'''GUI''' stands for '''Graphical user inferface'''</ref>.'' # Connect your iPod in OF<ref name="OF" />, [http://www.rockbox.org/ Rockbox] or Disk mode so it appears in My computer as a storage device. Note the drive letter (for example, '''F:'''). # Open '''Command prompt''' (Start -> Programs -> Accessories -> Command prompt). # Enter the drive letter from step 1 with the colon at the end and press Enter. # Enter the following commands: cd / mkdir .boot Next, download the fastboot application that matches your emCORE version to the newly created '''.boot''' folder in your iPod. Don't forget to rename it to '''init.emcoreapp''' or it won't be loaded at all. ===Linux=== ''Since files starting with dot are hidden on Linux by default, you need to either show them (in your favourite file manager's options) or use the command line.'' An example to copy the file using the command line would be: mkdir -p /media/'''<your iPod's name>'''/.boot cp ~/Downloads/fastboot.emcoreapp /media/'''<your iPod's name>'''/.boot/init.emcoreapp ===Mac OS X=== ''Files starting with dot are hidden by default, so you need to either use the '''Terminal''' application, or change a system preference in order to show them'' An example to copy the file using the '''Terminal''' would be: mkdir -p /Volumes/'''<your iPod's name>'''/.boot cp ~/Downloads/fastboot.emcoreapp /Volumes/'''<your iPod's name>'''/.boot/init.emcoreapp ==References== <references /> 9e6401127a8128a0d6e4591b3daf0a5889687e2c 0 50 4105 4084 2011-11-22T13:14:09Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer: [[Status]] # Follow the installation instructions: [[emCORE Installation]] # Report any bugs you encountered to us: [[Contact]] ==Updates== * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] <!-- *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} d87f25eced7cbf0b7f227f62e56255cc121afa83 4152 4105 2012-01-02T00:24:58Z User890104 124 announce the new release wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer: [[Status]] # Follow the installation instructions: [[emCORE Installation]] # Report any bugs you encountered to us: [[Contact]] ==Updates== * {{#dateformat:2012-01-01}} - A new release ([[EmCORE_Releases/r855|r855]]) is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the [[EmCORE_Releases/r855|release details page]]. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 *{{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] <!-- *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} bccb3c121724b75e88188d6abe5bf59b55d0a8ec 0 323 4106 3996 2011-11-22T13:16:19Z User890104 124 wikitext text/x-wiki ==emCORE kernel== emCORE is a lightweight alternative operating system for iPods (and possibly other devices one day). ===Features=== * Preemptive multitasking * Can run multiple independent apps at the same time * Shared library support * USB debugging API * FAT32 file system access * LCD text console and graphics API * Can run other kernels (such as [http://www.rockbox.org/ Rockbox]) through a kexec-like interface * ~75KB executable size, ~110KB RAM usage (plus LCD frame buffer) ==emCORE boot menu== When emCORE is installed, the emCORE boot menu is installed as the default autostart app. Depending on the device it offers various boot options. ==emCORE fastboot== [[Fastboot]] was an emCORE application that was used to launch [http://www.rockbox.org/ Rockbox] or OF instantly when the iPod turns on. It is now discontinued, and its functionality is moved to the Boot menu. ==emCOREFS== [[emCOREFS]] is a filesystem wrapper around [[EmCORE_Monitor_Protocol|emCORE's Monitor Protocol]] that uses [http://libusb.org/wiki/libusb-1.0 libusb 1.0] to connect to a device running emCORE and [http://fuse.sourceforge.net/ FUSE] to mount its storage in a directory. ==Installation instructions== There's an installation wizard available on [[EmCORE Installation|this page]]. ==Uninstallation instructions== There's an uninstallation wizard available on [[EmCORE Uninstallation|this page]]. 7883e6302fc7893633b2552367cb119b4f081baa 0 342 4107 4033 2011-11-22T13:18:13Z User890104 124 wikitext text/x-wiki Your device is fully supported by [[emCORE]], but there are some bugs left, so it's not yet recommended for end users. If you would like to dualboot [http://www.rockbox.org/ Rockbox] and Apple's firmware, it would be safer to use Rockbox's bootloader or [http://theseven.freemyipod.org/iloader/ iLoader]. If you would like to install [[emCORE]] on your iPod Nano 2G, you can follow the [http://theseven.freemyipod.org/iloader/installation.php iLoader install instructions], but substituting iLoader's .ipodx file with '''installer-ipodnano2g.ipodx''' from [[EmCORE_Releases|the Releases page]]. If you don't want to see the bootmenu every time you power on your iPod, you can use Tools->Settings to set a default boot option (Rockbox, OF, UMSboot, Disk mode, etc.) 9e44c3d204e540a8e1f5ed35c600068debe6b999 0 347 4108 4031 2011-11-22T13:18:47Z User890104 124 wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Safely eject (or unmount on linux) that volume * Disconnect your iPod from your PC * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) * Connect your iPod to your computer * Wait for the iPod's hard disk drive to connect and become accessible (this might take longer than a minute) * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use Tools->Settings to set a default boot option (Rockbox, UMSboot, etc.) 246d5ea590ae834db5faadc8230f62e632aceb7b 0 346 4109 4063 2011-11-22T13:21:32Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' <span style="color: #f00;">'''Using of [[Fastboot|fastboot]] is discouraged! The recent versions of emCORE have a Settings menu, where you can choose the default boot option. It is recommended to uninstall the fastboot app and use a recent release instead.'''</span> ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu] <small>(some people have reported that this file gives an error: ''Exception: DFU upload failed! (2 / 7)'' so if you also see this message, please use bootstrap-ipodclassic.dfu from the previous release)</small><br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> 42422392ef898ee93822011a46a4ad06186704f0 4119 4109 2011-11-26T18:04:18Z User890104 124 fixed a broken release wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' <span style="color: #f00;">'''Using of [[Fastboot|fastboot]] is discouraged! The recent versions of emCORE have a Settings menu, where you can choose the default boot option. It is recommended to uninstall the fastboot app and use a recent release instead.'''</span> ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> 1c1e5778da2f8accb7963ca49a4e5291604a6af2 4120 4119 2011-11-27T03:06:27Z Farthen 28 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' <span style="color: #f00;">'''Using [[Fastboot|fastboot]] is discouraged! The recent versions of emCORE have a settings menu, where you can choose the default boot option. It is recommended to uninstall the fastboot app and use a recent release instead.'''</span> ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> 4fdf373bac5350f8c3d54e24a1c5fead0abc8ad3 4122 4120 2011-11-27T03:22:00Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' <span style="color: #f00;">'''Using [[Fastboot|fastboot]] is discouraged! The recent versions of emCORE have a "Tools" => "Settings" menu, where you can choose the default boot option. It is recommended to uninstall the fastboot app and use a recent release instead.'''</span> ==r708: April 24th, 2011== ===Release notes / Known issues=== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> ==r692: April 6th, 2011== ===Release notes / Known issues=== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ==r674: March 25th, 2011== ===Release notes / Known issues=== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ===Fixes / Improvements=== * Initial public [[emCORE]] release ===Files=== ====Common==== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ====iPod Nano 2G==== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> ====iPod Classic==== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> 2641dec43cefd3fe5a0e51a908f5098b91b3304f 4127 4122 2011-11-30T14:58:36Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' <span style="color: #f00;">'''Using [[Fastboot|fastboot]] is discouraged! The recent versions of emCORE have a "Tools" => "Settings" menu, where you can choose the default boot option. It is recommended to uninstall the fastboot app and use a recent release instead.'''</span> The most recent version is the topmost one in the following list. It is recommended to use that one, unless you have a specific reason to use another. * [[EmCORE_Releases/r708|emCORE r708 (24.04.2011)]] * [[EmCORE_Releases/r692|emCORE r692 (06.04.2011)]] * [[EmCORE_Releases/r674|emCORE r674 (25.03.2011)]] 8cbc186844c75585baf7201dd504e32860076224 4131 4127 2011-11-30T15:04:30Z User890104 124 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' <span style="color: #f00;">'''Using [[Fastboot|fastboot]] is discouraged! The recent versions of emCORE have a "Tools" => "Settings" menu, where you can choose the default boot option. It is recommended to uninstall the fastboot app and use a recent release instead.'''</span> The most recent version is the topmost one in the following list. It is recommended to use that one, unless you have a specific reason to use another. * [[EmCORE_Releases/r708|'''emCORE r708 (24.04.2011)''']] * [[EmCORE_Releases/r692|emCORE r692 (06.04.2011)]] * [[EmCORE_Releases/r674|emCORE r674 (25.03.2011)]] 5811aef1d31db377a4765275fae42bf9f6207c13 4136 4131 2011-12-04T01:38:11Z TheSeven 13 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' The most recent version is the topmost one in the following list. It is recommended to use that one, unless you have a specific reason to use another. * [[EmCORE_Releases/r708|'''emCORE r708 (24.04.2011)''']] * [[EmCORE_Releases/r692|emCORE r692 (06.04.2011)]] * [[EmCORE_Releases/r674|emCORE r674 (25.03.2011)]] c405ec0e8cf822cf383e81319126060639c6d4dc 4150 4136 2012-01-01T23:25:59Z TheSeven 13 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' The most recent version is the topmost one in the following list. It is recommended to use that one, unless you have a specific reason to use another. * [[EmCORE_Releases/r855|'''emCORE r855 (2012-01-01)''']] * [[EmCORE_Releases/r708|emCORE r708 (2011-04-24)]] * [[EmCORE_Releases/r692|emCORE r692 (2011-04-06)]] * [[EmCORE_Releases/r674|emCORE r674 (2011-03-25)]] 7adf49798e6f5edc6dee7d7748632e49b0ad8809 1 401 4110 4077 2011-11-22T18:35:11Z Robert 354 /* 1G/2G/3G Classic HDD-layout */ wikitext text/x-wiki == 1G/2G/3G Classic HDD-layout == I'm pretty certain there is a HPA/DCO on those drives, and that ATA pw is set . :There definitely is no ATA password, and I don't know of an HPA. I'm not even sure if the CE-ATA drive supports HPAs. The hiding of the firmware partition is most likely done by the iPod firmware. --[[User:TheSeven|TheSeven]] 20:04, 15 November 2011 (UTC) How ? Isn't that pretty much what HPA/DCO's where created for ? Have you verified if there is a HPA/DCO or not ? ( I don't have the setup to do it myself atm. Also, I don't know of any tools that reliably can detect a HPA/DCO over a USB-connection ?) I see posts on the internets suggesting there IS in fact a HPA/DCO, at least on some models .. http://forum.hddguru.com/toshiba-apple-ipod-protected-harddrives-t10669-40.html (Yes, it's for the 5G, I know, but there has to be a reason that you can't just transplant any HDD with the right interface you like, to an ipod, right ? (And there's only one ipod using CE-ATA AFAIK) ?) Also, when viewing the physical disk of my emCore'd Classic in win-hex (over USB) there is a 120MB entry,listed as "FAT1", and the technical report complains that " FAT1 < FAT2 " . But the disk needs to be connected to a proper controller for any accurate results .. :emCORE/Rockbox is a proper controller for that kind of operation. And WinHEX has a lot of problems with non-512 byte sectors, causing it to miscalculate a bunch of sector numbers. --[[User:TheSeven|TheSeven]] 20:04, 15 November 2011 (UTC) Or maybe the numbers don't add up because the HPA is there and thus the numbers reported are faked ? (Why the super-floppy formatting btw ?) Robert :What would a partition table be good for? Superfloppy seems like the straight-forward choice to me. --[[User:TheSeven|TheSeven]] 20:04, 15 November 2011 (UTC) c0e414025b3496ec6e81847ae79a119b77ca1e97 4111 4110 2011-11-22T18:37:21Z Robert 354 wikitext text/x-wiki == 1G/2G/3G Classic HDD-layout == I'm pretty certain there is a HPA/DCO on those drives, and that ATA pw is set . :There definitely is no ATA password, and I don't know of an HPA. I'm not even sure if the CE-ATA drive supports HPAs. The hiding of the firmware partition is most likely done by the iPod firmware. --[[User:TheSeven|TheSeven]] 20:04, 15 November 2011 (UTC) Also, when viewing the physical disk of my emCore'd Classic in win-hex (over USB) there is a 120MB entry,listed as "FAT1", and the technical report complains that " FAT1 < FAT2 " . But the disk needs to be connected to a proper controller for any accurate results .. :emCORE/Rockbox is a proper controller for that kind of operation. And WinHEX has a lot of problems with non-512 byte sectors, causing it to miscalculate a bunch of sector numbers. --[[User:TheSeven|TheSeven]] 20:04, 15 November 2011 (UTC) Or maybe the numbers don't add up because the HPA is there and thus the numbers reported are 'faked' ? (Why the super-floppy formatting btw ?) Robert :What would a partition table be good for? Superfloppy seems like the straight-forward choice to me. --[[User:TheSeven|TheSeven]] 20:04, 15 November 2011 (UTC) 1525b33fc9aee7557c9eeedfb75256766ba1a8d1 0 186 4121 2753 2011-11-27T03:15:14Z User890104 124 wikitext text/x-wiki ==Protocol description== the whole firmware update is done through a custom 0xc6 scsi command first, the update is initiated by a c6 96 00 00 00 00 00 00 00 00 packet, that will get a 4-byte response (meaning unknown) maybe the count of update log entries? then the last update log page (4KB) is read using a c6 97 00 01 00 00 00 00 00 00 packet then a new log page (4KB) is written using a c6 98 00 01 00 00 00 00 00 00 packet then there is a c6 94 00 02 80 00 00 00 00 00 00 00 00 00 00 00 packet, no idea what it's good for, no data stage the next stage is uploading the "N58s.bootloader.release.rb3" file, using a c6 90 <type> <size> 00 00 00 00 00 00 00 00 00 packet <type> is 00 for the MSE, and 01 for the RB3 file, size is the big endian 32bit file size the transfer itself is done using c6 91 00 10 00 00 00 00 00 00 packets, each (besides the last one, which is trimmed to the number of bytes left to be transferred) followed by 5 data stages, being 16384, 3584, 16384, 16384 and 12800 bytes in size I can't think of any reason for this weirds splitting, maybe it isn't even neccessary and just an itunes weirdness then the transfer is closed using a c6 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 packet the next step is uploadinf "Firmware.MSE" the same way finally a c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 is sent (no data stage), and another log entry is written that's the whole deal. -- [[User:TheSeven|TheSeven]] 22:21, 30 November 2009 (UTC) ==Sending commands== To send these commands on linux you need the scsirastools (http://scsirastools.sourceforge.net/). On Debian you have to build it youself using configure, make, make install. Once you built it run as root: sgdiag -I You will get a prompt. First type c to send a custom command, then the number of the device (the list is just above). The CDB length is 10, then the bytes are c6 ... (eg c6 97 00 01 00 00 00 00 00 00 for the first one). Response data length is 4 byte for the first command, 0 for the ones with no data stage or for uploading firmware or log sending, 4096 for log reading). The Output data length is the size of data sent to the ipod (excluding the command). That's it. If the device is an ipod you should get a response, if it isn't you will get an error message. ==Commands summary== 0xc6 is the first byte, then: * 0x90 <type> <4-byte size> [0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00] -> init update process (type 0 = firmware, 1 = bootloader) * 0x91 0x00 0x10 [0x00 0x00 0x00 0x00 0x00 0x00] + data -> upload data * 0x92 [0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00] -> end update process * 0x94 <be32:fwpartsize_in_kb> [0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00] -> repatition hdd/flash - only useful when restoring or if the firmware partition was altered. is not used an update (preserving user data/settings) is performed The bytes in brackets are optional. TheSeven: from what it looks like the 96 and 31 commands don't even have a handler on the ipod side ==Automated image uploading== There's an app that implements this protocol. Its source code is available at [http://svn.freemyipod.org/tools/ipodscsi/ our SVN]. Use MinGW to compile it (or get the binary [http://files.freemyipod.org/tmp/ipodscsi.exe here]), only Windows version available at the moment. It's written with [[Classic 1G]], [[Classic 2G]], and [[Classic 3G]] in mind, but also works with [[Nano 3G]] and [[Nano 4G]]. More details to come soon on a separate page. We'll be happy if someone could test if it works on [[Nano 5G]] and [[Nano 6G]] and post the results on the [[Talk:Nano4G_firmware_upgrade_process|Discussion page]]. cec8b2c8c5783d879d95939c6caeedfb50f0dd0a 0 407 4124 2011-11-30T14:52:02Z User890104 124 Created page with "[[emCORE]] r674 was released on March 25th, 2011 ==Release notes / Known issues== * This is the first public release, so please be aware that there might be a bunch of still unk..." wikitext text/x-wiki [[emCORE]] r674 was released on March 25th, 2011 ==Release notes / Known issues== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ==Fixes / Improvements== * Initial public [[emCORE]] release ==Files== ===Common=== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> 9eb03cb3aed31c35e773a348581823cf1b344523 4128 4124 2011-11-30T15:02:15Z User890104 124 Protected "[[EmCORE Releases/r674]]": release pages are meant to be edited only by the developers ([edit=sysop] (indefinite) [move=sysop] (indefinite)) wikitext text/x-wiki [[emCORE]] r674 was released on March 25th, 2011 ==Release notes / Known issues== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ==Fixes / Improvements== * Initial public [[emCORE]] release ==Files== ===Common=== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> 9eb03cb3aed31c35e773a348581823cf1b344523 4134 4128 2011-11-30T15:40:06Z User890104 124 wikitext text/x-wiki __NOTOC__ [[emCORE]] r674 was released on March 25th, 2011 ==Release notes / Known issues== * This is the first public release, so please be aware that there might be a bunch of still unknown bugs in the wild. * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * This release reduces the CPU core voltage to conserve battery power, but apparently by a bit too much for some iPod Classic devices, causing all kinds of weird behavior. This was disabled in the r692 release, so please update if you suspect that you're affected by this. * We found a kernel bug in this release that causes lockups when injecting a firmware image while the boot menu is updating the display. This should not affect normal users. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ==Fixes / Improvements== * Initial public [[emCORE]] release ==Files== ===Common=== [http://files.freemyipod.org/releases/20110325/fastboot-r674-20110325.emcoreapp fastboot.emcoreapp]<br/> ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodnano2g-r674-20110325.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodnano2g-r29644-20110325.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20110325/bootstrap-ipodclassic-r674-20110325.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110325/installer-ipodclassic-r674-20110325.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110325/rockbox-ipodclassic-r29644-20110325.zip rockbox-ipodclassic.zip]<br/> 794ab516134e046306d5044b59dbc6c14c7ef02a 0 408 4125 2011-11-30T14:53:25Z User890104 124 Created page with "[[emCORE]] r692 was released on April 6th, 2011 ==Release notes / Known issues== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Reboo..." wikitext text/x-wiki [[emCORE]] r692 was released on April 6th, 2011 ==Release notes / Known issues== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ==Fixes / Improvements== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ==Files== ===Common=== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ab81d5d04ddc366c0bd4a798ac08d003cce4bd4e 4129 4125 2011-11-30T15:02:28Z User890104 124 Protected "[[EmCORE Releases/r692]]": release pages are meant to be edited only by the developers ([edit=sysop] (indefinite) [move=sysop] (indefinite)) wikitext text/x-wiki [[emCORE]] r692 was released on April 6th, 2011 ==Release notes / Known issues== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ==Fixes / Improvements== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ==Files== ===Common=== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> ab81d5d04ddc366c0bd4a798ac08d003cce4bd4e 4133 4129 2011-11-30T15:39:44Z User890104 124 wikitext text/x-wiki __NOTOC__ [[emCORE]] r692 was released on April 6th, 2011 ==Release notes / Known issues== * The boot menu occasionally locks up due to a combination of a kernel bug and a libUI bug. Rebooting the iPod the hard way by holding the menu and select buttons for 5 seconds should help. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ==Fixes / Improvements== * Disabled undervolting for the iPod Classic. * Fixed a kernel bug that causes lockups when injecting a firmware image while the boot menu is updating the display. ==Files== ===Common=== [http://files.freemyipod.org/releases/20110406/fastboot-r692-20110406.emcoreapp fastboot.emcoreapp]<br/> ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodnano2g-r692-20110406.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodnano2g-r29681-20110406.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20110406/bootstrap-ipodclassic-r692-20110406.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110406/installer-ipodclassic-r692-20110406.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110406/rockbox-ipodclassic-r29681-20110406.zip rockbox-ipodclassic.zip]<br/> 652960afe7af5a2510c7ca02f89537f8ae29b668 0 409 4126 2011-11-30T14:54:22Z User890104 124 Created page with "[[emCORE]] r708 was released on April 24th, 2011 ==Release notes / Known issues== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to s..." wikitext text/x-wiki [[emCORE]] r708 was released on April 24th, 2011 ==Release notes / Known issues== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ==Fixes / Improvements== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ==Files== ===Common=== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> 80d872ebf96beba6e4854df24a2b6c681c3ac6e2 4130 4126 2011-11-30T15:02:36Z User890104 124 Protected "[[EmCORE Releases/r708]]": release pages are meant to be edited only by the developers ([edit=sysop] (indefinite) [move=sysop] (indefinite)) wikitext text/x-wiki [[emCORE]] r708 was released on April 24th, 2011 ==Release notes / Known issues== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ==Fixes / Improvements== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ==Files== ===Common=== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> 80d872ebf96beba6e4854df24a2b6c681c3ac6e2 4132 4130 2011-11-30T15:39:19Z User890104 124 wikitext text/x-wiki __NOTOC__ [[emCORE]] r708 was released on April 24th, 2011 ==Release notes / Known issues== * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There's a small number of iPod Classic devices where USB doesn't work unless the device was booted through DFU. ==Fixes / Improvements== * Fixed several kernel bugs that affected CPU exception and panic handling and caused the device to just lock up instead of showing proper error messages. * Added trivial memory protection to catch most null pointer or garbage memory address accesses. * Fixed a race condition in libUI that caused the boot menu to crash occasionally. * Fixed various graphics glitches in the boot menu. ==Files== ===Common=== [http://files.freemyipod.org/releases/20110424/fastboot-r708-20110424.emcoreapp fastboot.emcoreapp]<br/> ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodnano2g-r708-20110424.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodnano2g-r29777-20110424.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20110424/bootstrap-ipodclassic-r708-20110424.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20110424/installer-ipodclassic-r708-20110424.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20110424/rockbox-ipodclassic-r29777-20110424.zip rockbox-ipodclassic.zip]<br/> 52e01314b1855b197ce25812e9f22563a8cf45d6 0 341 4137 3993 2011-12-04T01:42:50Z TheSeven 13 Remove outdated information that would only confuse users wikitext text/x-wiki Sorry, your device is not currently supported by [[emCORE]]. Porting [[emCORE]] to a new device is generally a lot of work and requires lots of experience with embedded system development. The exact amount of work needed varies greatly and depends on the complexity of the device and similarities to devices that [[emCORE]] has already been ported to. Your device is vaguely similar to other devices that [[emCORE]] supports, and [[emCORE]] can already be booted on it from a RAMDISK, but a significant amount of work remains before it can be permanently installed and access the device's flash memory. Until this work is done, the [[emCORE]] port to this device isn't of much use. 5318d525c0fb1d80101d281248ce402f98618104 0 350 4138 4059 2011-12-10T16:30:02Z TheSeven 13 wikitext text/x-wiki * Make sure that you have python 2.6 or newer, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] ([http://svn.freemyipod.org/!svn/bc/788/tools/ipoddfu/libipoddfu.py] for python 2.x) or check out our [[SVN]] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for about 12 seconds. It will start to reboot after 5 seconds, but keep holding the buttons until it seems to power off completely. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next create a mount point e.g. 'mkdir -p /media/disk' and mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 48ad53394b9ddcf066f973e4367d85c6e8106824 4146 4138 2011-12-29T05:14:48Z User890104 124 wikitext text/x-wiki * Make sure that you have python 2.6 or newer, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py] and one of the following files, depending on your Python version installed: Python '''2.x''': [http://svn.freemyipod.org/!svn/bc/788/tools/ipoddfu/libipoddfu.py]<br /> Python '''3.x''': [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for about 12 seconds. It will start to reboot after 5 seconds, but keep holding the buttons until it seems to power off completely. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next create a mount point e.g. 'mkdir -p /media/disk' and mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] c1c8c18e0ee939c4b708fbaffbf80f48b1cf13e7 3 404 4139 4098 2011-12-18T22:02:04Z MSaki 365 Replaced content with " not much going on right now huh? Merry Christmas everyone at Freemyipod.org :D" wikitext text/x-wiki not much going on right now huh? Merry Christmas everyone at Freemyipod.org :D 25456cca3c462627bb7e789d64cab72b8cdd923c 2 399 4140 4071 2011-12-18T22:03:08Z MSaki 365 wikitext text/x-wiki Ipod nano 2nd and 4th gen (i wish to crack 4th gen nano to run rockbox some day) 6 ipods for ability to force to death if needed 1 ipod nano 4th gen 2 ipod nano 1st gen 2 ipod nano 2nd gen 1 ipod nano 3rd gen ofc ipods 2nd gen can run a fully flashed emcore. Ipod nano 4th gen cannot be flashed exactly i thought i saw something that was flasher related on a old google code somewhere but i still haven't re found the page yet. I <3 ipod nano 4th gen also love python so feel free to ask for help. Merry Christmas everyone @ Freemyipod.org :D Hope you get some great presents in this time of giving. ceaccb55ac7c417f2577fbaac7887dd57936492f 0 412 4147 2011-12-31T22:41:23Z TheSeven 13 Created page with "Nano2G: Connected to emCORE Debugger v0.2.2 r836 running on iPod nano 2g 38800040: 00000264 228DD9D0 050004E8 | d... ..."....| 38800050: 01F08001 ..." wikitext text/x-wiki Nano2G: Connected to emCORE Debugger v0.2.2 r836 running on iPod nano 2g 38800040: 00000264 228DD9D0 050004E8 | d... ..."....| 38800050: 01F08001 |.... | Device Mode IN Token Sequence Learning Queue Depth: 16 Host Mode Periodic Request Queue Depth: 8 Non-Periodic Request Queue Depth: 8 Dynamic FIFO Sizing Enabled: Yes Periodic OUT Channels Supported in Host Mode: Yes Number of Host Channels: 8 (Indicates the number of host channels supported by the core in Host mode) Number of Device Endpoints: 6(Indicates the number of device endpoints supported by the core in Device mode in addition to control endpoint 0) Full-Speed PHY Interface Type: Dedicated full-speed interface High-Speed PHY Interface Type: UTMI+ and ULPI Point-to-Point: Multi-point application Architecture: Internal DMA Mode of Operation: HNP- and SRP-Capable OTG (Host & Device) Endpoints: 0 (BIDI), 1 (IN), 2 (OUT), 3 (IN), 4 (OUT), 5 (BIDI), 6 (BIDI) DFIFO Depth: 1280 (This value is in terms of 32-bit words => 5120 bytes) AHB and PHY Synchronous: No (Indicates whether AHB and PHY clocks are synchronous to each other) Reset Style for Clocked always Blocks in RTL: Asynchronous reset is used in the core Optional Features Removed: Yes (Indicates whether the User ID register, GPIO interface ports, and SOF toggle and counter ports were removed for gate count optimization) Vendor Control Interface Support: Vendor Control Interface is not available on the core I2C Selection: I2C Interface is not available on the core OTG Function Enabled: OTG Capable (The application uses this bit to indicate the O2P USB core's OTG capabilities) Width of Packet Size Counters: 10 bits Width of Transfer Size Counters: 19 bits Number of IN endpoints: 0 (?) Enable dedicated transmit FIFO for device IN endpoints: No session_end Filter Enabled: Yes b_valid Filter Enabled: Yes a_valid Filter Enabled: Yes vbus_valid Filter Enabled: Yes iddig Filter Enabled: Yes Number of Device Mode Control Endpoints in Addition to Endpoint 0: 0 UTMI+ PHY/ULPI-to-Internal UTMI+ Wrapper Data Width: 8/16 bits, software selectable (When a ULPI PHY is used, an internal wrapper converts ULPI to UTMI+) Minimum AHB Frequency Less Than 60 MHz: No Enable Power Optimization: No Number of Device Mode Periodic IN Endpoints: 1 Classic: Connected to emCORE Debugger v0.2.2 r836 running on iPod classic 38400040: 00000264 228F60D0 082000E8 | d... .`.".. .| 38400050: 1BF08030 |0... | Device Mode IN Token Sequence Learning Queue Depth: 16 Host Mode Periodic Request Queue Depth: 8 Non-Periodic Request Queue Depth: 8 Dynamic FIFO Sizing Enabled: Yes Periodic OUT Channels Supported in Host Mode: Yes Number of Host Channels: 14 (Indicates the number of host channels supported by the core in Host mode) Number of Device Endpoints: 8 (Indicates the number of device endpoints supported by the core in Device mode in addition to control endpoint 0) Full-Speed PHY Interface Type: Full-speed interface not supported High-Speed PHY Interface Type: UTMI+ and ULPI Point-to-Point: Multi-point application Architecture: Internal DMA Mode of Operation: HNP- and SRP-Capable OTG (Host & Device) Endpoints: 0 (BIDI), 1 (IN), 2 (OUT), 3 (IN), 4 (OUT), 5 (BIDI), 6 (BIDI), 7 (BIDI), 8 (BIDI) DFIFO Depth: 2080 (This value is in terms of 32-bit words => 8320 bytes) AHB and PHY Synchronous: No (Indicates whether AHB and PHY clocks are synchronous to each other) Reset Style for Clocked always Blocks in RTL: Asynchronous reset is used in the core Optional Features Removed: No (Indicates whether the User ID register, GPIO interface ports, and SOF toggle and counter ports were removed for gate count optimization) Vendor Control Interface Support: Vendor Control Interface is not available on the core I2C Selection: I2C Interface is not available on the core OTG Function Enabled: OTG Capable (The application uses this bit to indicate the O2P USB core's OTG capabilities) Width of Packet Size Counters: 10 bits Width of Transfer Size Counters: 19 bits Number of IN endpoints: 5 (?) Enable dedicated transmit FIFO for device IN endpoints: Yes session_end Filter Enabled: Yes b_valid Filter Enabled: Yes a_valid Filter Enabled: Yes vbus_valid Filter Enabled: Yes iddig Filter Enabled: Yes Number of Device Mode Control Endpoints in Addition to Endpoint 0: 0 UTMI+ PHY/ULPI-to-Internal UTMI+ Wrapper Data Width: 8/16 bits, software selectable (When a ULPI PHY is used, an internal wrapper converts ULPI to UTMI+) Minimum AHB Frequency Less Than 60 MHz: Yes Enable Power Optimization: Yes Number of Device Mode Periodic IN Endpoints: 0 bc90038effc2580d65a7df7242bc1f7310af9cb0 0 413 4148 2012-01-01T23:22:08Z TheSeven 13 Created page with "__NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic: Upgrading from emCORE builds before XXX w..." wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic: Upgrading from emCORE builds before XXX will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r853-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r853-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r853-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r853-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r853-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> c355ffa9ec84b327f5e036476e06577c9370a354 4149 4148 2012-01-01T23:22:27Z TheSeven 13 wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic: Upgrading from emCORE builds before XXX will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r855-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r855-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> 3672a1b3fba4cc768e085a2075acabe6b09b276c 4151 4149 2012-01-01T23:26:22Z TheSeven 13 wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic: Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r855-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r855-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> 75024c75cd2e4b27c8161781974660aad086a6ff 4154 4151 2012-01-02T01:37:47Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic: Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== <span style="color: #f00;">iPod nano 2g builds taken down due to some problems with booting the original firmware. Stay tuned for another update.</span> <!-- [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> --> ===iPod Classic=== [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r855-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r855-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> b37fce2909b3bd354d684781ef12c6c93d8e393c 4155 4154 2012-01-02T04:17:27Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic: Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== <span style="color: #f00;">iPod nano 2g builds taken down due to some problems with booting the original firmware. Stay tuned for another update.</span> <!-- [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> --> ===iPod Classic=== <span style="color: #f00;">If your hard drive didn't get wiped after updating from an official release, please get in touch with us. Weird stuff is happening here.</span> [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r855-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r855-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> ad6a7c7f2486d5c90c7eb7fc2ca283217d92ba02 4156 4155 2012-01-02T04:22:28Z Farthen 28 /* iPod Classic */ wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic: Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== <span style="color: #f00;">iPod nano 2g builds taken down due to some problems with booting the original firmware. Stay tuned for another update.</span> <!-- [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> --> ===iPod Classic=== <span style="color: #f00;">If your hard drive didn't get wiped after updating from an official release, please get in touch with us. Weird stuff is happening here.</span><br /> [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r855-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r855-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> 723f2cf190e43bacb7a85b22300b66fbba20d62a 4157 4156 2012-01-02T08:03:47Z TheSeven 13 wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic (thin models): Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * <span style="color: #f00;">Please remove "fastboot" if present (/.boot/init.emcoreapp) before upgrading to this release!</span> * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== <span style="color: #f00;">iPod nano 2g builds taken down due to some problems with booting the original firmware. Stay tuned for another update.</span> <!-- [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> --> ===iPod Classic=== [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r855-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r855-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> 831c3b74fd335162a025aa4daf5c92d060594df0 4158 4157 2012-01-02T08:20:05Z TheSeven 13 wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic (thin models): Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * <span style="color: #f00;">Please remove "fastboot" if present (/.boot/init.emcoreapp) before upgrading to this release!</span> * iPod Classic (thick 160GB): If you're using a Rockbox version before r30908, you will need to update Rockbox by booting the fallback image (Tools => Rockbox fallback image) to make the LCD work again. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== <span style="color: #f00;">iPod nano 2g builds taken down due to some problems with booting the original firmware. Stay tuned for another update.</span> <!-- [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> --> ===iPod Classic=== [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r855-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r855-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> 962c4946085e85a97a5661234565cdf0bf06c976 4159 4158 2012-01-02T08:28:22Z TheSeven 13 wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic (thin models): Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * <span style="color: #f00;">Please remove "fastboot" if present (/.boot/init.emcoreapp) '''before''' upgrading to this release! Otherwise you might get into very nasty trouble.</span> * iPod Classic (thick 160GB): If you're using a Rockbox version before r30908, you will need to update Rockbox by booting the fallback image (Tools => Rockbox fallback image) to make the LCD work again. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== <span style="color: #f00;">iPod nano 2g builds taken down due to some problems with booting the original firmware. Stay tuned for another update.</span> <!-- [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> --> ===iPod Classic=== [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r855-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r855-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> 82f7d21389702e8d28de754b2c737d722d91ff9c 0 414 4160 2012-01-02T19:49:03Z Farthen 28 r859 wikitext text/x-wiki __NOTOC__ [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic (thin models): Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * iPod Classic (thick 160GB): If you're using a Rockbox version before r30908, you will need to update Rockbox by booting the fallback image (Tools => Rockbox fallback image) to make the LCD work again. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20120102/installer-ipodnano2g-r859-20120102.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120102/installer-ipodnano2g-r859-20120102.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120102/rockbox-ipodnano2g-3.10-20120102.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20120102/bootstrap-ipodclassic-r859-20120102.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120102/installer-ipodclassic-r859-20120102.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120102/rockbox-ipodclassic-r31516-20120102.zip rockbox-ipodclassic.zip]<br/> e0504bf5488630fc4ee1afbad3a76c7503f4930d 0 414 4161 4160 2012-01-02T19:49:16Z Farthen 28 wikitext text/x-wiki __NOTOC__ [[emCORE]] r859 was released on January 2nd, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic (thin models): Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * iPod Classic (thick 160GB): If you're using a Rockbox version before r30908, you will need to update Rockbox by booting the fallback image (Tools => Rockbox fallback image) to make the LCD work again. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20120102/installer-ipodnano2g-r859-20120102.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120102/installer-ipodnano2g-r859-20120102.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120102/rockbox-ipodnano2g-3.10-20120102.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20120102/bootstrap-ipodclassic-r859-20120102.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120102/installer-ipodclassic-r859-20120102.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120102/rockbox-ipodclassic-r31516-20120102.zip rockbox-ipodclassic.zip]<br/> cbf909ca4c41009c4934a7b568c99f3814763ea9 4187 4161 2012-04-22T17:02:31Z User890104 124 another attempt to prevent people from installing (incompatible) fastboot apps wikitext text/x-wiki __NOTOC__ [[emCORE]] r859 was released on January 2nd, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic (thin models): Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * iPod Classic (thick 160GB): If you're using a Rockbox version before r30908, you will need to update Rockbox by booting the fallback image (Tools => Rockbox fallback image) to make the LCD work again. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. <span style="color: #f00;">DO '''NOT''' USE ANY ADDITIONAL FASTBOOT APPLICATIONS (from older releases)!</span> * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===Common=== The fastboot app is discontinued, and its functionality is integrated in the boot menu. Fastboot's functionality is located in the ''Tools->Settings->Fastboot action'' menu. DO NOT attempt to install any fastboot apps! ===iPod Nano 2G=== [http://files.freemyipod.org/releases/20120102/installer-ipodnano2g-r859-20120102.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120102/installer-ipodnano2g-r859-20120102.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120102/rockbox-ipodnano2g-3.10-20120102.zip rockbox-ipodnano2g.zip]<br/> ===iPod Classic=== [http://files.freemyipod.org/releases/20120102/bootstrap-ipodclassic-r859-20120102.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120102/installer-ipodclassic-r859-20120102.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120102/rockbox-ipodclassic-r31516-20120102.zip rockbox-ipodclassic.zip]<br/> 3b95e495048e47920bbadf37cf49f79d1f32abb1 0 346 4162 4150 2012-01-02T19:49:21Z Farthen 28 r859 wikitext text/x-wiki Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' The most recent version is the topmost one in the following list. It is recommended to use that one, unless you have a specific reason to use another. * [[EmCORE_Releases/r859|'''emCORE r859 (2012-01-02)''']] * <s>[[EmCORE_Releases/r855|emCORE r855 (2012-01-01)]]</s> * [[EmCORE_Releases/r708|emCORE r708 (2011-04-24)]] * [[EmCORE_Releases/r692|emCORE r692 (2011-04-06)]] * [[EmCORE_Releases/r674|emCORE r674 (2011-03-25)]] 2816b9c4ea498f68bd71a61d66a020a643148f82 0 413 4163 4159 2012-01-02T19:49:27Z Farthen 28 r859 wikitext text/x-wiki __NOTOC__ {{Template:Outdated|reason=A hotfix for this release is available: [[EmCORE Releases/r859|r859]]}} [[emCORE]] r855 was released on January 1st, 2012. ==Release notes / Known issues== * <span style="color: #f00;">iPod Classic (thin models): Upgrading from emCORE builds before r836 will reformat the hard drive. Rockbox versions before r31455 are incompatible with the new format.</span> * <span style="color: #f00;">Please remove "fastboot" if present (/.boot/init.emcoreapp) '''before''' upgrading to this release! Otherwise you might get into very nasty trouble.</span> * iPod Classic (thick 160GB): If you're using a Rockbox version before r30908, you will need to update Rockbox by booting the fallback image (Tools => Rockbox fallback image) to make the LCD work again. * The display doesn't work on some iPod Nano 2G devices. If this happens to you, we suggest to stick with iLoader for now. * Reducing the CPU core voltage on the iPod Classic has been disabled. Battery life might be adversely affected. * There are still some Rockbox USB stability issues. In most cases, replugging/rebooting the iPod helps. This might be fixed in future Rockbox releases. ==Fixes / Improvements== * Includes Rockbox release 3.10 (iPod Nano 2G) / build r31516 (iPod Classic). * Lots of internal improvements and bug fixes. * iPod Classic: USB stability improvements. This release should work on devices which previously needed the "usbfixcandidate" build. * "fastboot" has been integrated into the boot menu. * The boot menu is now configurable (default boot option, timeouts, fastboot, backlight brightness, ...). * Support for boot menu themes on the data partition has been added (winter theme included). * iPod Classic: HDD data endianness has been fixed. * emCORE applications can now have command line arguments. * emCORE kernel memory size has been reduced. * emCORE LCD driver performance has been improved * iPod Classic: Use all 262144 colors of the LCD, not just 65536. * iPod Nano 2G: Fix LCD not being cleared properly on shutdown in certain situations. * Fix wrong maximum packet sizes in USB descriptors. ==Files== ===iPod Nano 2G=== <span style="color: #f00;">iPod nano 2g builds taken down due to some problems with booting the original firmware. Stay tuned for another update.</span> <!-- [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.bootnote installer-ipodnano2g.bootnote]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ipodx installer-ipodnano2g.ipodx]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodnano2g-r855-20120101.ubi installer-ipodnano2g.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodnano2g-3.10-20120101.zip rockbox-ipodnano2g.zip]<br/> --> ===iPod Classic=== [http://files.freemyipod.org/releases/20120101/bootstrap-ipodclassic-r855-20120101.dfu bootstrap-ipodclassic.dfu]<br/> [http://files.freemyipod.org/releases/20120101/installer-ipodclassic-r855-20120101.ubi installer-ipodclassic.ubi]<br/> [http://files.freemyipod.org/releases/20120101/rockbox-ipodclassic-r31516-20120101.zip rockbox-ipodclassic.zip]<br/> a172ca4d97c2985035f1262a8fdc7b13cd2516c3 0 50 4164 4152 2012-01-02T19:49:39Z Farthen 28 r859 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer: [[Status]] # Follow the installation instructions: [[emCORE Installation]] # Report any bugs you encountered to us: [[Contact]] ==Updates== * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 <!-- *{{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon *{{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! *{{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! *{{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 7cfd3fc00549b26ed32d567c118c572703f89f12 4165 4164 2012-01-02T20:48:22Z Farthen 28 Delete commented out updates wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer: [[Status]] # Follow the installation instructions: [[emCORE Installation]] # Report any bugs you encountered to us: [[Contact]] ==Updates== * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} cfd6fa51779169ecb672ad1d86061c1f9614bd0d 4178 4165 2012-02-17T15:05:34Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer: [[Status]] # Follow the installation instructions: [[emCORE Installation]] # Report any bugs you encountered to us: [[Contact]] ==Updates== * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] ** [[emCORE Uninstallation]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 6ef3377d1745a6bdba07b63ce4c40c11b102569d 4179 4178 2012-03-28T21:13:47Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer. Only [[Nano_2G|iPod Nano 2G]] and iPod Classic [[Classic_1G|1G]]/[[Classic_2G|2G]]/[[Classic_3G|3G]] are supported at the moment. # Follow the [[emCORE_Installation|installation instructions]] if your device is supported. # In case you encounter any bugs, please [[Contact|contact]] us in order to report them. ==Updates== * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] ** [[emCORE Uninstallation]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} d7679fbd345b833b3f986f75693cc91c146a494c 0 324 4166 3686 2012-01-03T23:07:36Z Benedikt93 145 wikitext text/x-wiki {| class="wikitable" ! Gate !! Function |- | 0 | SHA1 accelerator |- | 1 | LCD controller? |- | 2 | USB-related |- | 3 | Unknown, masking crashes immediately |- | 4 | Unknown, masking crashes after some milliseconds |- | 5 | ATA controller |- | 6 | Unknown (masked by default) |- | 7 | I2S controller |- | 8 | Nand controller (running by default) |- | 9 | Unknown (masked by default) |- | 10 | AES coprocessor |- | 11 | Unknown (masked by default) |- | 12 | Unknown (running by default) |- | 13 | Unknown (running by default) |- | 14 | Unknown (masked by default) |- | 15 | Unknown (masked by default) |- | 16 | Unknown (masked by default) |- | 17 | Unknown (masked by default) |- | 18 | Unknown (masked by default) |- | 19 | Unknown (running by default) |- | 20 | Unknown (running by default) |- | 21 | Unknown (running by default) |- | 22 | Unknown (running by default) |- | 23 | Unknown (running by default) |- | 24 | Unknown (running by default) |- | 25 | DMA controller 0 |- | 26 | Unknown (running by default) |- | 27 | Unknown (running by default) |- | 28 | Unknown (running by default) |- | 29 | Unknown (masked by default) |- | 30 | Unknown (running by default) |- | 31 | Unknown (running by default) |- | 32 | Unknown (masked by default) |- | 33 | Clickwheel controller? |- | 34 | SPI0 (NOR flash) |- | 35 | USB-related |- | 36 | I2C controller 0 |- | 37 | Unknown, masking crashes after some milliseconds |- | 38 | Unknown (masked by default) |- | 39 | Unknown (masked by default) |- | 40 | Unknown (masked by default) |- | 41 | Unknown (masked by default) |- | 42 | Unknown (masked by default) |- | 43 | SPI1? (unconnected) |- | 44 | GPIO controller |- | 45 | Unknown (masked by default) |- | 46 | ChipId (masked by default) |- | 47 | SPI2? (unconnected) |- | 48 | Unknown (masked by default) |- | 49 | Unknown (masked by default) |} 25082177c49ef0a66a830f85670f7f5a16f3b86a 0 352 4167 4021 2012-01-16T14:53:37Z Farthen 28 wikitext text/x-wiki * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic_itunes.exe this] file * Connect your iPod to your computer * Make sure iTunes is closed * Kill "AppleMobileDeviceService.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Do the same for "iTunesHelper.exe" * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Run bootstrap_ipodclassic_itunes.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] c4ff5f5fdf65d73b14d3647c4c1d168cea82befc 4182 4167 2012-04-01T18:30:00Z User890104 124 wikitext text/x-wiki * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic_itunes.exe this] file * Connect your iPod to your computer * Make sure iTunes is closed * Kill "AppleMobileDeviceService.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Do the same for "iTunesHelper.exe" * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Run bootstrap_ipodclassic_itunes.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] d743ed3affb14f9d76f019aaeefd01c548c3ac9a 4205 4182 2013-08-27T18:48:18Z User890104 124 wikitext text/x-wiki * Download [http://files.freemyipod.org/targets/iPod%20classic/bootstrap_ipodclassic_itunes.exe this] file * Connect your iPod to your computer * Make sure iTunes is closed * Kill "AppleMobileDeviceService.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Do the same for "iTunesHelper.exe" * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Run bootstrap_ipodclassic_itunes.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 2d3fd989d7299b42c4672387582a9ccad9ac4c50 0 347 4168 4108 2012-01-22T09:58:15Z User890104 124 wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Safely eject (or unmount on linux) that volume * Disconnect your iPod from your PC * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) <span style="color: #f00;">'''Even though Rockbox starts, the installation is not complete yet. Continue reading and following the instructions to the end of the page!'''</span> * Connect your iPod to your computer * Wait for the iPod's hard disk drive to connect and become accessible (this might take longer than a minute) * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use Tools->Settings to set a default boot option (Rockbox, UMSboot, etc.) 9ad035eeeabf3675a1b171713221df1d9885f23a 4198 4168 2012-09-23T12:48:47Z User890104 124 wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Safely eject (or unmount on linux) that volume * Disconnect your iPod from your PC * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) <span style="color: #f00;">'''Even though Rockbox starts, the installation is not complete yet. Continue reading and following the instructions to the end of the page!'''</span> * Connect your iPod to your computer * Wait for the iPod's hard disk drive to connect and become accessible (this might take longer than a minute, if it doesn't work try different USB port) * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use Tools->Settings to set a default boot option (Rockbox, UMSboot, etc.) 280f218ea45aa411353834d7d6a1020203cdf0a4 4206 4198 2013-08-29T14:39:12Z TheSeven 13 wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Eject that volume (use "Eject" from the Explorer context menu, or the "eject" utility on Linux) * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) <span style="color: #f00;">'''Even though Rockbox starts, the installation is not complete yet. Continue reading and following the instructions to the end of the page!'''</span> * Wait for the iPod's hard disk drive to connect and become accessible * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on Linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use Tools->Settings to set a default boot option (Rockbox, UMSboot, etc.) 404aef858e8cb048c06888521f602f5a2b77088e 4209 4206 2013-09-03T11:26:37Z User890104 124 wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Eject that volume ([http://kb.sandisk.com/euf/assets/images/faqs/309/id104-w7-eject.gif use "Eject" from the Explorer right-click menu], or the "eject" utility on Linux) * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) <span style="color: #f00;">'''Even though Rockbox starts, the installation is not complete yet. Continue reading and following the instructions to the end of the page!'''</span> * Wait for the iPod's hard disk drive to connect and become accessible * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on Linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use Tools->Settings to set a default boot option (Rockbox, UMSboot, etc.) ef64458015096b5af37a29678bcef18db74d93b3 4210 4209 2013-09-11T21:28:48Z User890104 124 wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Eject that volume == on Windows == http://kb.sandisk.com/euf/assets/images/faqs/309/id104-w7-eject.gif == on Linux == use the "eject" command "e.g. '''eject /dev/sdb'''" * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) <span style="color: #f00;">'''Even though Rockbox starts, the installation is not complete yet. Continue reading and following the instructions to the end of the page!'''</span> * Wait for the iPod's hard disk drive to connect and become accessible * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on Linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use Tools->Settings to set a default boot option (Rockbox, UMSboot, etc.) 22a748cba9f350a919e0492295de899de5a87010 2 399 4169 4140 2012-01-23T22:35:26Z MSaki 365 wikitext text/x-wiki Ipod nano 2nd and 4th gen (i wish to crack 4th gen nano to run rockbox some day) 6 ipods for ability to force to death if needed 1 ipod nano 4th gen 2 ipod nano 1st gen 2 ipod nano 2nd gen 1 ipod nano 3rd gen ofc ipods 2nd gen can run a fully flashed emcore. Ipod nano 4th gen cannot be flashed exactly i thought i saw something that was flasher related on a old google code somewhere but i still haven't re found the page yet. I <3 ipod nano 4th gen also love python so feel free to ask for help. time to get some earned rest. Ipods sleep to you know :) aec4efd77520ba8ad374c8f62cda6a4a0acef546 4175 4169 2012-01-26T20:59:22Z MSaki 365 wikitext text/x-wiki '''Ipod nano 2nd and 4th gen (i wish to crack 4th gen nano to run rockbox some day)''' ''6 ipods for ability to force to death if needed 1 ipod nano 4th gen 2 ipod nano 1st gen 2 ipod nano 2nd gen 1 ipod nano 3rd gen'' ofc ipods 2nd gen can run a fully flashed emcore. Ipod nano 4th gen cannot be flashed exactly i thought i saw something that was flasher related on a old google code somewhere but i still haven't re found the page yet. I <3 ipod nano 4th gen also love python so feel free to ask for help. ''' time to get some earned rest. Ipods sleep to you know :)''' 6ba3c306c84d5eea1fc125348445155a184848e0 4180 4175 2012-03-28T23:47:00Z MSaki 365 wikitext text/x-wiki Me and a buddy started a irc server We are a small network at the moment, we would like to change that, if you would like to join, Server: irc.crystalfallows.com Port: 6667 for normal, and +6697 for SSL #chat is our main channel, you may join that ''6 ipods for ability to force to death if needed 1 ipod nano 4th gen 2 ipod nano 2nd gen ofc ipods 2nd gen can run a fully flashed emcore. I <3 ipod nano 4th gen also love python so feel free to ask for help. ''' time to get some earned rest. Ipods sleep to you know :)''' 3b15f6352efb7c94501b226bc374768786aec5d1 4192 4180 2012-07-17T05:08:25Z MSaki 365 wikitext text/x-wiki Been running emcore dualboot with apple on my nano2g 2gb for a while now. also have 1 80gb classic running only emcore and rockbox (no dual boot? guess not possible.) hope to get emcore on nano 3g (seems to have same firmware looks as classic) time to get some earned rest. Ipods sleep to you know :)''' 84052872a2d60f13184c2f56919d0fe9e9cb5e0b 4194 4192 2012-07-17T07:14:29Z User890104 124 wikitext text/x-wiki Been running emcore dualboot with apple on my nano2g 2gb for a while now. also have 1 80gb classic running only emcore and rockbox (no dual boot? guess not possible.) ''yeah, not possible yet.'' --[[User:User890104|User890104]] 09:14, 17 July 2012 (CEST) hope to get emcore on nano 3g (seems to have same firmware looks as classic) ''the nano3g port is not even working, it was abandoned a long time ago.'' --[[User:User890104|User890104]] 09:14, 17 July 2012 (CEST) time to get some earned rest. Ipods sleep to you know :) 8aecafe1365cac29bc03bc4b72f15c9792e7c3c9 3 404 4170 4139 2012-01-23T22:36:23Z MSaki 365 wikitext text/x-wiki I love the new ipod nano 2nd gen build epic snow theme :D just one thing how do you use / install the apps and themes?? 544f2e185aa3f96fa88298f6f57714bb7706f8e0 4171 4170 2012-01-24T15:16:20Z User890104 124 wikitext text/x-wiki I love the new ipod nano 2nd gen build epic snow theme :D just one thing how do you use / install the apps and themes?? :you usually install a theme by copying it to the ipod as /.apps/bootmenu/theme.emcoreapp, if you remove/rename the existing one your ipod will use the default theme. --[[User:User890104|User890104]] 15:16, 24 January 2012 (UTC) 9bc2edfb580cbdd8148718c21d78eb9aceb3328b 4172 4171 2012-01-24T22:41:56Z MSaki 365 wikitext text/x-wiki I love the new ipod nano 2nd gen build epic snow theme :D just one thing how do you use / install the apps and themes?? :you usually install a theme by copying it to the ipod as /.apps/bootmenu/theme.emcoreapp, if you remove/rename the existing one your ipod will use the default theme. --[[User:User890104|User890104]] 15:16, 24 January 2012 (UTC) ok thx :D how about the apps? 08f614f1816dd700572484c56f0b7a0ad23c0264 4173 4172 2012-01-25T20:16:34Z User890104 124 wikitext text/x-wiki I love the new ipod nano 2nd gen build epic snow theme :D just one thing how do you use / install the apps and themes?? :you usually install a theme by copying it to the ipod as /.apps/bootmenu/theme.emcoreapp, if you remove/rename the existing one your ipod will use the default theme. --[[User:User890104|User890104]] 15:16, 24 January 2012 (UTC) ok thx :D how about the apps? :the apps folder is meant to hold applications' settings. there are other apps available on the SVN (like the snake game) but there is no easy way to launch then on the device (without using a PC and emcore.py) at the moment (there's a launcher app in the svn but it's not finished) c12ccd41f74a0ab685c06e835b4494089f576342 4174 4173 2012-01-26T20:56:37Z MSaki 365 wikitext text/x-wiki I love the new ipod nano 2nd gen build epic snow theme :D just one thing how do you use / install the apps and themes?? :you usually install a theme by copying it to the ipod as /.apps/bootmenu/theme.emcoreapp, if you remove/rename the existing one your ipod will use the default theme. --[[User:User890104|User890104]] 15:16, 24 January 2012 (UTC) ok thx :D how about the apps? :the apps folder is meant to hold applications' settings. there are other apps available on the SVN (like the snake game) but there is no easy way to launch then on the device (without using a PC and emcore.py) at the moment (there's a launcher app in the svn but it's not finished) ok thx 8d8685f09055e25ad04c8b54c8eaecb5361238d3 4191 4174 2012-07-17T05:04:34Z MSaki 365 wikitext text/x-wiki Nano 3g is on my next emcore/rockbox build list time to figure out how the whole thing ticks. (any ideas? nano 3g 8gb onyx black version.) b0484a03fa0c65acf3602f038ed7dbe966f38d29 4193 4191 2012-07-17T05:17:02Z MSaki 365 wikitext text/x-wiki Nano 3g is on my next emcore/rockbox build list time to figure out how the whole thing ticks. (any ideas? nano 3g 8gb onyx black version.) Questions: My nano 2g silver 2gb will only install up to r859 any of the other builds (im aware about warning) give "could not parse" errors. Ipod classic 80gb (think 6th gen with metal black front?) didn't ask for option to dual boot which isn't an issue. rockbox <3 Are there any exploits or attempts to port emcore to nano 3g? Just random questions. Night. cf0b3144832045d7ca9355845f6440241f5b8c99 4195 4193 2012-07-17T07:18:07Z User890104 124 wikitext text/x-wiki Nano 3g is on my next emcore/rockbox build list time to figure out how the whole thing ticks. (any ideas? nano 3g 8gb onyx black version.) ''there's no rockbox port for nano3g and no working emcore build available at the moment'' --[[User:User890104|User890104]] 09:18, 17 July 2012 (CEST) Questions: My nano 2g silver 2gb will only install up to r859 any of the other builds (im aware about warning) give "could not parse" errors. ''please join our IRC channel, and ask your question, so someone can give you instructions on how to fix this'' --[[User:User890104|User890104]] 09:18, 17 July 2012 (CEST) Ipod classic 80gb (think 6th gen with metal black front?) didn't ask for option to dual boot which isn't an issue. rockbox <3 ''dual boot is not supported on ipod classics'' --[[User:User890104|User890104]] 09:18, 17 July 2012 (CEST) Are there any exploits or attempts to port emcore to nano 3g? ''there are exploits, and we have code execution. it has been ported partially, but much work remains before it can be usable'' --[[User:User890104|User890104]] 09:18, 17 July 2012 (CEST) Just random questions. Night. 93f7654f899f3a3e1ca9aad921b2c5db55850116 0 366 4176 4104 2012-02-05T15:48:01Z User890104 124 wikitext text/x-wiki {{outdated|reason=Since r808, fastboot is discontinued, because its functionality is integrated in the boot menu itself. Please don't install the fastboot app anymore. Use [[EmCORE_Releases/r859|r859]] or a [[EmCORE_Releases|more recent release]] instead and uninstall any existing fastboot app you might have.}} Fastboot is an [[emCORE]] application, that runs [http://www.rockbox.org/ Rockbox] as soon as the device is powered on. It is preferred by many users, and it is not so hard to install. '''Nano 2G users''': If you mainly use Apple's firmware and would like to "fastboot" into it, please ask on IRC for a modified fastboot build that boots OF<ref name="OF">'''OF''' stands for '''Original firmware'''</ref> instead. ==Usage== *To boot [http://www.rockbox.org/ Rockbox] with fastboot installed, just power your iPod on. *To launch the boot menu instead, '''hold''' any key while your iPod is turning on until you see the menu. ==Installation== <span style="color: #f00; font-size: 16px;">'''WARNING: Always use the same version of [[emCORE]] and fastboot! Mixing up versions may lead to a condition where your iPod won't boot, and would require recovering with an additional set of tools!'''</span> Installing fastboot is actually done by copying '''fastboot.emcoreapp''' under the name '''init.emcoreapp''' to a folder named '''.boot''' in the root folder of your iPod's flash memory/hard drive. Here are some instructions how to do that on different OSes<ref name="OS">'''OS''' stands for '''Operating system'''</ref>. ===Windows=== ''It is not possible to create such folder using Windows's GUI<ref name="GUI">'''GUI''' stands for '''Graphical user inferface'''</ref>.'' # Connect your iPod in OF<ref name="OF" />, [http://www.rockbox.org/ Rockbox] or Disk mode so it appears in My computer as a storage device. Note the drive letter (for example, '''F:'''). # Open '''Command prompt''' (Start -> Programs -> Accessories -> Command prompt). # Enter the drive letter from step 1 with the colon at the end and press Enter. # Enter the following commands: cd / mkdir .boot Next, download the fastboot application that matches your emCORE version to the newly created '''.boot''' folder in your iPod. Don't forget to rename it to '''init.emcoreapp''' or it won't be loaded at all. ===Linux=== ''Since files starting with dot are hidden on Linux by default, you need to either show them (in your favourite file manager's options) or use the command line.'' An example to copy the file using the command line would be: mkdir -p /media/'''<your iPod's name>'''/.boot cp ~/Downloads/fastboot.emcoreapp /media/'''<your iPod's name>'''/.boot/init.emcoreapp ===Mac OS X=== ''Files starting with dot are hidden by default, so you need to either use the '''Terminal''' application, or change a system preference in order to show them'' An example to copy the file using the '''Terminal''' would be: mkdir -p /Volumes/'''<your iPod's name>'''/.boot cp ~/Downloads/fastboot.emcoreapp /Volumes/'''<your iPod's name>'''/.boot/init.emcoreapp ==References== <references /> bd17b725b46d5c3c0d74fff80f4b97c71bf4df7d 0 350 4177 4146 2012-02-14T10:42:52Z User890104 124 wikitext text/x-wiki * Make sure that you have python 2.6 or newer, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] and one of the following files, depending on your Python version installed: Python '''2.x''': [http://svn.freemyipod.org/!svn/bc/788/tools/ipoddfu/libipoddfu.py libipoddfu.py]<br /> Python '''3.x''': [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for about 12 seconds. It will start to reboot after 5 seconds, but keep holding the buttons until it seems to power off completely. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next create a mount point e.g. 'mkdir -p /media/disk' and mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 4c7dda7c4a59bd68dcad71d4fe3843d68924603c 4184 4177 2012-04-01T18:32:22Z User890104 124 wikitext text/x-wiki * Make sure that you have python 2.6 or newer, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] and one of the following files, depending on your Python version installed: Python '''2.x''': [http://svn.freemyipod.org/!svn/bc/788/tools/ipoddfu/libipoddfu.py libipoddfu.py]<br /> Python '''3.x''': [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next create a mount point e.g. 'mkdir -p /media/disk' and mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 428b73cf24b60a1a2db90737b58c788f2a30e838 4188 4184 2012-04-30T16:35:46Z User890104 124 wikitext text/x-wiki * Make sure that you have python 2.6 or newer, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download the following files: # [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] # '''libipoddfu.py''' for [http://svn.freemyipod.org/!svn/bc/788/tools/ipoddfu/libipoddfu.py Python '''2.x'''] '''OR''' [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py Python '''3.x'''] (check your Python version with ''python -V'') * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next create a mount point e.g. 'mkdir -p /media/disk' and mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] d90b856cb5e48e38c5f70ff042aff99793085973 0 353 4181 3872 2012-04-01T18:27:15Z User890104 124 wikitext text/x-wiki * Make sure that you have .NET Framework 3.5 or later installed * Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] file as well * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds (video on how to do it: http://youtu.be/Y_bIDtBohnE) (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely) The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. * Wait for Windows to ask you for a driver for this device * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 86b0a4528b97000c35777225d8cda333af62be89 4183 4181 2012-04-01T18:30:33Z User890104 124 wikitext text/x-wiki * Make sure that you have .NET Framework 3.5 or later installed * Download [http://files.freemyipod.org/misc/winusb_driver.zip this] file and extract it somewhere * Download [http://files.freemyipod.org/misc/bootstrap_ipodclassic.exe this] file as well * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for Windows to ask you for a driver for this device * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 16a8e74bbee0f45566640bddd684a348889ec654 0 52 4185 3896 2012-04-01T18:34:02Z User890104 124 wikitext text/x-wiki iPods have special modes that they can boot into called disk mode, DFU mode, and debug mode. ==Disk mode== Disk mode has existed ever since the iPod has existed. Disk mode is stored in different locations (depends on the iPod model). Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode, refer to [http://support.apple.com/kb/ht1363 this Apple support document]. [[Image:Diskmode.jpg]] ([http://www.ipodlinux.org/ iPodLinux project]) ==DFU mode== DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors. The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. There's a NOR DFU mode though, that can be entered by holding down BACK+PLAY right after rebooting the device. ===Getting DFU mode on iPod Classic, Nano 3G and newer === There is a video that explain how to do this. [http://youtu.be/Y_bIDtBohnE Watch it here]. # Make sure your iPod is turned on and connected to your computer. # Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely) # The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. You can use lsusb to determine if your iPod is in DFU mode. 05ac is the Vendor ID (Apple), and the number after the colon is the Product ID. The Product ID depends on whether the iPod is in DFU mode or not. Here is a table of Product IDs: {| class="wikitable" ! Device !! Normal !! DFU !! WTF |- | Nano 2G | 1260 | 1220 | 1240 |- | Nano 3G | 1262 | 1223/1224 | 1242 |- | Nano 4G | 1263 | 1225 | 1243 |- | Nano 5G | 1265 | 1231 | 1246 |- | Nano 6G | 1266 | 1232 | 1248 |- | Classic 1G | 1261 | 1223 | 1241 |- | Classic 2G | 1261 | 1223 | 1245 |- | Classic 3G | 1261 | 1223 | 1247 |} Sources: http://www.linux-usb.org/usb.ids http://www.trejan.com/projects/ipod/phobos.html#DFURECOVERY ===DFU utility=== TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository]. ==Debug (diagnostics) mode== This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot. ==Helpful pages== http://www.ipodlinux.org/wiki/Key_Combinations http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/ http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf http://www.usb.org/developers/devclass_docs/usbdfu10.pdf 638d70b8b138b678c941a0758cadc4df9e99a3f2 0 268 4190 3956 2012-07-11T19:12:04Z Benedikt93 145 wikitext text/x-wiki = Nano 3G EFI = {| class="wikitable prettytable sortable" |+ List of EFI protocol GUIDs found in the Nano 3G EFI |- ! GUID !! Description |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> | GUID at DxeD1671 +0x103C, registered at DxeD1671 +0x6F6, interface (at DxeD1671 +0xFAC): * +0 pmu_read(void *this, char reg, unsigned int size, void *data); * +4 pmu_write(void *this, char reg, unsigned int size, void *data); |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> | GUID at Cpu +0x8E0, registered at Cpu +0x37C, interface (at Cpu +0x894): * +0 int disable_MMU_and_Caches(void* this); * +4 int enable_MMU_and_Caches(void* this); |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> | GUID at Cpu +0x8C4, registered at Cpu +0x37C, interface (at Cpu +0x89C): [http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL] |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> | GUID at DxeSmbus +0x6D8, registered at DxeSmbus +0x404, interface (at DxeSmbus +0x6BC): [http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL] |- | <0x26BACCB2, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> | GUID at S5L8900Metronome +0x4FC, registered at S5L8900Metronome +0x246, interface (at S5L8900Metronome +0x4F4): [http://www.cse.msu.edu/~austinro/dox/html/struct___e_f_i___m_e_t_r_o_n_o_m_e___a_r_c_h___p_r_o_t_o_c_o_l.html _EFI_METRONOME_ARCH_PROTOCOL], TickPeriod = 10 |- | <0xD15BFD46, 0x954C, 0x478D, 0xA5, 0x4C, 0x36, 0xD4, 0xD8, 0xCD, 0xB0, 0xD0> | GUID at Nand +0xA5F4, registered at Nand +0x3F6, interface is emtpy: used by BDS to detect NAND (as it doesn't access it's BlockIO interface directly) |- | <0x964e5b21, 0x6459, 0x11d2, {0x8e, 0x39, 0x0, 0xa0, 0xc9, 0x69, 0x72, 0x3b}> | GUID at Nand +0xA5D4, registered at Nand +0x3F6, interface (at Nand +0x84E8): [http://feishare.com/edk2doxygen/d8/dcb/struct___e_f_i___b_l_o_c_k___i_o___p_r_o_t_o_c_o_l.html _EFI_BLOCK_IO_PROTOCOL] |- | <0x9576e91, 0x6d3f, 0x11d2, {0x8e, 0x39, 0x0, 0xa0, 0xc9, 0x69, 0x72, 0x3b}> | GUID at Nand +0xA5E4, registered at Nand +0x3F6, interface (at Nand +0x8508): [http://feishare.com/edk2doxygen/d6/d11/struct_e_f_i___d_e_v_i_c_e___p_a_t_h___p_r_o_t_o_c_o_l.html EFI_DEVICE_PATH_PROTOCOL] as [http://feishare.com/edk2doxygen/dc/d04/struct_v_e_n_d_o_r___d_e_v_i_c_e___p_a_t_h.html VENDOR_DEVICE_PATH] GUID: <0xEEE84FD3, 0xD696, 0x4DCF, 0x94, 0x15, 0xF8, 0x21, 0xA4, 0, 0x72, 0x6E> |- |} = Nano 4G EFI = {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI || Cpu:400A06F4 |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- | <0xE8A9E232, 0x1708, 0x476D, 0xB10CDB9A, 0x20D9902E> || Nano4G EFI || DxeD1759Diagnostic:40310684 |- | <0x618BA6A2, 0x690E, 0x4E7A, 0x1AB2E98E, 0xF865A959> || Nano4G EFI || DxeD1759Diagnostic:403106A4 |- | <0x3622282D, 0xC57F, 0x4A7A, 0xD137CAAD, 0x2233AF3C> || Nano4G EFI || Swif:405F02E0 |- |} d70d54349579d9f769521399c2d2a209a8f942fb 0 359 4196 3904 2012-07-23T11:31:34Z User890104 124 wikitext text/x-wiki If you would like to uninstall [[emCORE]] please follow these instructions: ==iPod Nano 2G== '''If you removed the firmware partition during the installation, you need to restore with iTunes first, so ALL data on your iPod Nano 2G will be deleted!''' # Power on your iPod # Scroll to '''Tools''' in the Boot menu # Press Select # Scroll to '''Uninstall emCORE''' # Press Select ==iPod Classic== '''Warning: Uninstalling [[emCORE]] will delete ALL data on your iPod Classic!''' # Install iTunes on your computer (if you don't have) # Connect your iPod to your computer # Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video] (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely). The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. # Restore using iTunes 295ecf26c54c1ce5a533458cf571f83575b43b34 4200 4196 2012-12-29T19:22:29Z User890104 124 wikitext text/x-wiki If you would like to uninstall [[emCORE]] please follow these instructions: ==iPod Nano 2G== '''If you removed the firmware partition during the installation, you need to restore with iTunes first, so ALL data on your iPod Nano 2G will be deleted!''' # Power on your iPod # Scroll to '''Tools''' in the Boot menu # Press Select # Scroll to '''Uninstall emCORE''' # Press Select ==iPod Classic== '''Warning: Uninstalling [[emCORE]] will delete ALL data on your iPod Classic!''' # Install iTunes on your computer (if you don't have) # Connect your iPod to your computer using the USB cable '''(important, otherwise it won't work)''' # Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video] (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely). The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. # Restore using iTunes f802e0eba23864b34b0ed875feca543844d5bb93 4201 4200 2013-02-07T20:13:22Z User890104 124 wikitext text/x-wiki If you would like to uninstall [[emCORE]] please follow these instructions: ==iPod Nano 2G== '''If you removed the firmware partition during the installation, you need to restore with iTunes first, so ALL data on your iPod Nano 2G will be deleted!''' # Power on your iPod # Scroll to '''Tools''' in the Boot menu # Press Select # Scroll to '''Uninstall emCORE''' # Press Select ==iPod Classic== '''Warning: Uninstalling [[emCORE]] will delete ALL data on your iPod Classic!''' # Install iTunes on your computer (if you don't have) # Connect your iPod to your computer using the USB cable '''(important, otherwise it won't work)''' # Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video] (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely). The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. # Restore using iTunes If iTunes can't restore your iPod, please [http://appletoolbox.com/2010/09/how-to-downgrade-itunes-10-to-itunes-9-2-1/ downgrade iTunes to 9.2.1] f3147c104603de417f85ded3078bf20bd1c409f3 4207 4201 2013-09-03T11:22:31Z User890104 124 wikitext text/x-wiki If you would like to uninstall [[emCORE]] please follow these instructions: ==iPod Nano 2G== '''If you removed the firmware partition during the installation, you need to restore with iTunes first, so ALL data on your iPod Nano 2G will be deleted!''' # Power on your iPod # Scroll to '''Tools''' in the Boot menu # Press Select # Scroll to '''Uninstall emCORE''' # Press Select ==iPod Classic== '''Warning: Uninstalling [[emCORE]] will delete ALL data on your iPod Classic!''' # Install iTunes on your computer (if you don't have). We recommend using [http://appletoolbox.com/2010/09/how-to-downgrade-itunes-10-to-itunes-9-2-1/ iTunes to 9.2.1] for this process. # Connect your iPod to your computer using the USB cable '''(important, otherwise it won't work)''' # Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video] (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely). The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. # Restore using iTunes 732f5920c6e9776de917bd4664028ba428b8081b 4208 4207 2013-09-03T11:23:37Z User890104 124 wikitext text/x-wiki If you would like to uninstall [[emCORE]] please follow these instructions: ==iPod Nano 2G== '''If you removed the firmware partition during the installation, you need to restore with iTunes first, so ALL data on your iPod Nano 2G will be deleted!''' # Power on your iPod # Scroll to '''Tools''' in the Boot menu # Press Select # Scroll to '''Uninstall emCORE''' # Press Select If you removed the firmware partition during the installation, you'll be prompted to restore with iTunes after uninstalling emCORE. ==iPod Classic== '''Warning: Uninstalling [[emCORE]] will delete ALL data on your iPod Classic!''' # Install iTunes on your computer (if you don't have). We recommend using [http://appletoolbox.com/2010/09/how-to-downgrade-itunes-10-to-itunes-9-2-1/ iTunes to 9.2.1] for this process. # Connect your iPod to your computer using the USB cable '''(important, otherwise it won't work)''' # Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video] (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely). The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC. # Restore using iTunes 95cc2f03e2c1aa6dc268f1814b7f04e6a56ef41c 0 66 4197 3314 2012-07-31T21:27:50Z User890104 124 wikitext text/x-wiki {{Template:Outdated|reason=iBugger is deprecated, and some links are dead}} ==Background== Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory then the encrypted data is being sent. After the decryption process completes, the decrypted data is downloaded. ==ipodcrypt== The ipodcrypt utility has the following features: for [[Nano 2G]]: *encrypt/decrypt DFU image *encrypt/decrypt firmware file contents *encrypt/decrypt dump of NOR flash's contents for [[Nano 4G]]: *decrypt firmware file contents The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt. You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux. ==Prerequisites== ===Windows=== First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below) Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads You also need [http://pyusb.sourceforge.net/ pyUSB] - a Python module for communicating with USB devices. Its download page is: You can get it from the [http://sourceforge.net/projects/pyusb/files/ download page] or [http://developer.berlios.de/project/showfiles.php?group_id=4354 another mirror]. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver. '''Important note''': If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended. To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual. '''Important note 2''': You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions ===Linux=== Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with: <pre> easy_install install pyusb </pre> Otherwise, you need to download it and install it manually as in the Windows instructions. To install libusb, you need to use your distribution's package management utility and look for libusb, then install it. ===Mac OS X=== (to be added later) ==Helpful pages== http://ipodlinux.org/wiki/Flash_Decryption http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://code.google.com/p/iphone-elite/w/list http://code.google.com/p/chronicdev/w/list http://wikee.iphwn.org/ http://iphonejtag.blogspot.com/ 13b7a039ee657a776866b68ca49e394ac12b00a7 0 259 4199 3851 2012-10-01T21:26:02Z User890104 124 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [http://freenode.net/ freenode]. Some channels are logged, please check http://logs.freemyipod.org for the logfiles. === #freemyipod-support === This is our support channel. <span style="color: #f00;">'''If you have questions or problems concerning our software, this is the place to ask.'''</span> If you have questions about rockbox that are not iPod related, please look for support at [http://www.rockbox.org/ rockbox.org] and if you happen to have any question related to the original iPod firmware please ask elsewhere. * You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support]. (Web client [http://webchat.freenode.net/?channels=freemyipod-support here]) === #freemyipod === This channel is for anything else related to the project, mainly focused on development. If you want to get a better knowledge about the technical details of something or want to [[Contributing|contribute]] to the project we will be glad to help you. * You can join it on [irc://irc.freenode.net/freemyipod #freemyipod]. (Web client [http://webchat.freenode.net/?channels=freemyipod here]) === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. * You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter]. (Web client [http://webchat.freenode.net/?channels=freemyipod-chatter here]) == Mailing lists == We have several mailing lists. You can find them on http://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. * You can register on [http://lists.freemyipod.org/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. * You can subscribe to it [http://lists.freemyipod.org/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. d04ea1d199c328219feb903ec6b92646e9bb766c 0 343 4202 4026 2013-07-12T17:18:20Z User890104 124 wikitext text/x-wiki <small>'''''Note''': this guide has been translated to other language by various [[emCORE]] users. We are linking to their translations to make installing easier, if you understand that language better than English. <span style="color: #f00;">'''WE DO NOT SUPPORT THESE GUIDES AND ARE IN NO WAY AFFILIATED TO THEIR AUTHORS.'''</span>'' * [http://urgor.com.ua/rockbox-%D0%BD%D0%B0-ipod-classic-gen6th-%D1%81%D0%B2%D0%B5%D1%80%D1%88%D0%B8%D0%BB%D0%BE%D1%81%D1%8C/ Russian] * [http://shishikai.blog9.fc2.com/blog-entry-92.html Japanese] English guide follows: </small> Is there already a third party firmware installed on your iPod? (Does it show anything else but an Apple logo during boot?) * [[EmCORE Installation/iPodClassic/ThirdParty|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]] 0af06d58fde784a30f278147d1102e115f0848e8 0 243 4203 3954 2013-07-30T16:52:24Z TheSeven 13 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1176JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/literature/ds/12726.pdf LIS302DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | [http://www.cirrus.com/en/pubs/proDatasheet/CS42L55_F1.pdf CS42L58] | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | Dialog D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} ==Reverse Engineering Results== Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. ==Status registers== We dumped all c0 coprocessor registers: ===c0,c0=== '''Value:''' 0x410FB764 '''Interpretation:''' ARM1176 rev. 4 ===c0,c1=== '''Value:''' 0x1D152152 '''Interpretation:''' DCache/ICache 16KB each, 4 way associative, 32 bytes line size ===c0,c2=== '''Value:''' 0x00000000 '''Interpretation:''' No TCM ===c0,c3=== '''Value:''' 0x00000800 '''Interpretation:''' Unified TLB, 8 lockable entries ===c1,c0=== '''Value:''' 0x00000111 '''Interpretation:''' ARM/Thumb1/Jazelle support, no Thumb2 support ===c1,c1=== '''Value:''' 0x00000011 '''Interpretation:''' Trustzone v1 ===c1,c2=== '''Value:''' 0x00000033 '''Interpretation:''' Supports debug model v6.1, both applications processor and secure ===c1,c3=== '''Value:''' 0x00000000 '''Interpretation:''' No auxiliary features ===c1,c4=== '''Value:''' 0x01130003 '''Interpretation:''' FCSE, Auxiliary Control register, ARMv6 TCM/DMA, no DMA cache coherency, no multicore cache coherency, VMSA v7 ===c1,c5=== '''Value:''' 0x10030302 '''Interpretation:''' Branch target buffer, Harvard architecture, various cache operations supported (see TRM) ===c1,c6=== '''Value:''' 0x01222100 '''Interpretation:''' WFI, Data synchronization barrier, Prefetch flush, Data memory barrier, various TLB/cache operations supported (see TRM), no prefetch cache range operation ===c1,c7=== '''Value:''' 0x00000000 '''Interpretation:''' No hierarchical cache maintenance support ===c2,c0=== '''Value:''' 0x00140011 '''Interpretation:''' Supports BKPT, CDP, CDP2, LDC, LDC2, MCD, MCD2, MRC, MRC2, STC, STC2, MCRR, MCRR2, MRRC, MRRC2, CLZ, SWP and SWPB, doesn't support division, combined compare and branch or bitfield instructions ===c2,c1=== '''Value:''' 0x12002111 '''Interpretation:''' Supports BXJ, BX, BLX, PC loads have BX behavior, supports SXTB, SXTAB, SXTB16, SXTAB16, SXTH, SXTAH, UXTB, UXTAB, UXTB16, UXTAB16, UXTH, UXTAH, SRS, RFE, CPS, LDM(2), LDM(3), STM(2) and SETEND ===c2,c2=== '''Value:''' 0x11231121 '''Interpretation:''' Supports REV, REV16, REVSH, MRS, MSR, UMULL, UMLAL, UMAAL, SMULL, SMLAL, SMLABB, SMLABT, SMLALBB, SMLALBT, SMLALTB, SMLALTT, SMLATB, SMLATT, SMLAWB, SMLAWT, SMULBB, SMULBT, SMULTB, SMULTT, SMULWB, SMULWT, SMLAD, SMLADX, SMLALD, SMLALDX, SMLSD, SMLSDX, SMLSLD, SMLSLDX, SMMLA, SMMLAR, SMMLS, SMMLSR, SMMUL, SMMULR, SMUAD, SMUADX, SMUSD, SMUSDX, MLA, restartable LDM/STM, PLD, LDRD, STRD and Q bit in PSRs ===c2,c3=== '''Value:''' 0x01102131 '''Interpretation:''' Supports true NOP, Thumb MOV(3)/CPU, LDREX, STREX, LDREXB, LDREXH, LDREXD, STREXB, STREXH, STREXD, CLREX, SVC, PKHBT, PKHTB, QADD16, QADD8, QADDSUBX, QSUB16, QSUB8, QSUBADDX, SADD16, SADD8, SADDSUBX, SEL, SHADD16, SHADD8, SHADDSUBX, SHSUB16, SHSUB8, SHSUBADDX, SSAT, SSAT16, SSUB16, SSUB8, SSUBADDX, SXTAB16, SXTB16, UADD16, UADD8, UADDSUBX, UHADD16, UHADD8, UHADDSUBX, UHSUB16, UHSUB8, UHSUBADDX, UQADD16, UQADD8, UQADDSUBX, UQSUB16, UQSUB8, UQSUBADDX, USAD8, USADA8, USAT, USAT16, USUB16, USUB8, USUBADDX, UXTAB16, UXTB16, QADD, QDADD, QDSUB, QSUB, and the Q and GE[3:0] bits in the PSRs. Does nut support branch table and Thumb2 instructions. ===c2,c4=== '''Value:''' 0x00001141 '''Interpretation:''' Supports SMC, writeback instructions, shift of loads and stores by 0-3 bits to the left, constant shift options, register controlled shift options, LDRBT, LDRT, STRBT and STRT. No barrier instructions support. ===c2,c5=== '''Value:''' 0x00000000 '''Interpretation:''' No additional implementation defined instruction set extensions ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) ea178040221674a86fb137c8a35baab58a8d9173 0 377 4204 4092 2013-08-20T17:40:44Z User890104 124 wikitext text/x-wiki {{Template:Outdated|reason=emCOREFS is not compatible with emCORE r891+, due to breaking changes (new debugging method)}} emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is not yet complete, but most features are done. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC/Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Compiling=== * standard build, no debug messages, only fatal errors on startup are shown. make * debug build, some debug/error messages are shown. libusb debug messages are enabled, too. make debug You can prefix any of these with CFLAGS="-DDEBUG_USB_PACKETS" in order to have a dump of the usb traffic that's being sent and received. ===Testing=== * run the build without FUSE debugging messages, going into the background if it connects to the device successfully. make test * run the build in the foreground, showing FUSE debug messages in the terminal. make testdebug ==Running== You need FUSE >= 2.8 installed. (or fuse4x on x64 OS X) Currently tested on Linux (Ubuntu 11.04 x86) and Mac OS X (10.6.8 x64). * Starting: ./emcorefs <mountpoint> * Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Write support not tested very well. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. dd36af27fd8cbe7f23e41ad7a5da7f96d72f7e3f 4211 4204 2013-10-15T22:28:13Z User890104 124 wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is mostly complete, and works well. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC 4.4 and GNU Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Installing needed packages on Ubuntu=== sudo apt-get install gcc-4.4 make pkg-config libusb-1.0-0-dev libfuse-dev ===Compiling=== * standard build, no debug messages, only fatal errors on startup are shown. make * debug build, some debug/error messages are shown. libusb debug messages are enabled, too. make debug You can prefix any of these with CFLAGS="-DDEBUG_USB_PACKETS" in order to have a dump of the usb traffic that's being sent and received. ===Testing=== * run the build without FUSE debugging messages, going into the background if it connects to the device successfully. make test * run the build in the foreground, showing FUSE debug messages in the terminal. make testdebug ==Running== You need FUSE >= 2.8 installed. (or fuse4x on x64 OS X) Currently tested on Linux (Ubuntu 11.04 x86) and Mac OS X (10.6.8 x64). * Starting: ./emcorefs <mountpoint> * Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Write support not tested very well. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. * Rename/move in the filesystem itself is currently disabled, since the underlying filesystem call crashes the emCORE kernel. Workaround: move the file/dir on another filesystem, then rename it if needed, then move it back. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. bc3978eb9fbde33ca8d6fd0f6fe0ed4a81638f59 4212 4211 2013-10-15T22:32:44Z User890104 124 wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is mostly complete, and works well. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC 4.4 and GNU Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Installing needed packages on Ubuntu=== sudo apt-get install gcc-4.4 make pkg-config libusb-1.0-0-dev libfuse-dev ===Compiling=== * standard build, no debug messages, only fatal errors on startup are shown. make build/emcorefs * debug build, some debug/error messages are shown. libusb debug messages are enabled, too. make debug You can prefix any of these with CFLAGS="-DDEBUG_USB_PACKETS" in order to have a dump of the usb traffic that's being sent and received. ===Testing=== * test the connection and some basic emCORE functions. useful only to developers. make build/emcore-test ./build/emcore-test ==Running== You need FUSE >= 2.8 installed. (or fuse4x on x64 OS X) Currently tested on Linux (Ubuntu 11.04 x86) and Mac OS X (10.6.8 x64). * Starting: ./build/emcorefs <mountpoint> * Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Write support not tested very well. * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Most errors are not handled properly, EIO (Input/output error) is given in many cases where there's a more descriptive error message available. Will be fixed in the future. * Rename/move in the filesystem itself is currently disabled, since the underlying filesystem call crashes the emCORE kernel. Workaround: move the file/dir on another filesystem, then rename it if needed, then move it back. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. 15b8f6b41959a16a9dc4c4b4edf42c3ddb34f3c6 0 347 4213 4210 2013-12-28T11:46:24Z TheSeven 13 Undo revision 4210 by [[Special:Contributions/User890104|User890104]] ([[User talk:User890104|talk]]). This was massively confusing, we need to find a better layout for this. wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Eject that volume ([http://kb.sandisk.com/euf/assets/images/faqs/309/id104-w7-eject.gif use "Eject" from the Explorer right-click menu], or the "eject" utility on Linux) * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) <span style="color: #f00;">'''Even though Rockbox starts, the installation is not complete yet. Continue reading and following the instructions to the end of the page!'''</span> * Wait for the iPod's hard disk drive to connect and become accessible * Download the "rockbox-ipodclassic.zip" file from the [[emCORE Releases]] page * Extract its contents to the root directory of your iPod's hard disk drive * Safely eject (or unmount on Linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use Tools->Settings to set a default boot option (Rockbox, UMSboot, etc.) ef64458015096b5af37a29678bcef18db74d93b3 4218 4213 2014-01-28T22:10:39Z User890104 124 change instructions to use rockbox utility instead of manual extracting wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * Eject that volume ([http://kb.sandisk.com/euf/assets/images/faqs/309/id104-w7-eject.gif use "Eject" from the Explorer right-click menu], or the "eject" utility on Linux) * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) <span style="color: #f00;">'''Even though Rockbox starts, the installation is not complete yet. Continue reading and following the instructions to the end of the page!'''</span> * Wait for the iPod's hard disk drive to connect and become accessible * Download and run [http://www.rockbox.org/wiki/RockboxUtility#Download Rockbox Utility] * In the configuration dialog, select your iPod's location, then tick the '''Show disabled targets''' checkbox * Select '''Apple''' -> '''Ipod Classic (6th gen)''' from the list of players * Proceed with the installation of the '''Development version''' of Rockbox, as shown in the [http://www.rockbox.org/wiki/GraphicalInstall guide] * (Optional) If you want to be able to upgrade Rockbox easily, choose '''File''' -> '''Install Rockbox Utility on player'''. This will copy Rockbox Utility to the root folder of your iPod, so you can run it straight from your player's hard disk later. * Safely eject (or unmount on Linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use '''Tools''' -> '''Settings''' -> '''Fastboot action''' to set a default boot option (e.g. Rockbox) 3d5e86803dfb19e5c6e633f0191d88c799b9fc41 4232 4218 2014-05-14T22:19:51Z User890104 124 clarify how UMSboot should be ejected properly wikitext text/x-wiki * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * '''If you are using Windows''', open '''Windows Explorer''' and right-click on the drive, then select '''Eject''' (as shown on [http://kb.sandisk.com/euf/assets/images/faqs/309/id104-w7-eject.gif this screenshot]) <br><font color="red">'''Ejecting the drive from the system tray icon will not work'''</font> * '''If you are using Linux''', eject the drive using the '''eject''' command * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) <span style="color: #f00;">'''Even though Rockbox starts, the installation is not complete yet. Continue reading and following the instructions to the end of the page!'''</span> * Wait for the iPod's hard disk drive to connect and become accessible * Download and run [http://www.rockbox.org/wiki/RockboxUtility#Download Rockbox Utility] * In the configuration dialog, select your iPod's location, then tick the '''Show disabled targets''' checkbox * Select '''Apple''' -> '''Ipod Classic (6th gen)''' from the list of players * Proceed with the installation of the '''Development version''' of Rockbox, as shown in the [http://www.rockbox.org/wiki/GraphicalInstall guide] * (Optional) If you want to be able to upgrade Rockbox easily, choose '''File''' -> '''Install Rockbox Utility on player'''. This will copy Rockbox Utility to the root folder of your iPod, so you can run it straight from your player's hard disk later. * Safely eject (or unmount on Linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use '''Tools''' -> '''Settings''' -> '''Fastboot action''' to set a default boot option (e.g. Rockbox) e857f07da0acf5762be73d8945d788386a9ed8c0 4262 4232 2016-06-09T01:21:36Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} * Download the "installer-ipodclassic.ubi" file from the [[emCORE Releases]] page * Save it to the 64MB-sized "UMSboot" volume * '''If you are using Windows''', open '''Windows Explorer''' and right-click on the drive, then select '''Eject''' (as shown on [http://kb.sandisk.com/euf/assets/images/faqs/309/id104-w7-eject.gif this screenshot]) <br><font color="red">'''Ejecting the drive from the system tray icon will not work'''</font> * '''If you are using Linux''', eject the drive using the '''eject''' command * Follow the on-screen instructions If everything worked right, you should now see the emCORE boot menu. If not, please ask for [[Contact|support]]. * Choose the "Rockbox" option * Wait for Rockbox to boot (Complaints about the rockbox.ipod file being missing are normal at this point.) <span style="color: #f00;">'''Even though Rockbox starts, the installation is not complete yet. Continue reading and following the instructions to the end of the page!'''</span> * Wait for the iPod's hard disk drive to connect and become accessible * Download and run [http://www.rockbox.org/wiki/RockboxUtility#Download Rockbox Utility] * In the configuration dialog, select your iPod's location, then tick the '''Show disabled targets''' checkbox * Select '''Apple''' -> '''Ipod Classic (6th gen)''' from the list of players * Proceed with the installation of the '''Development version''' of Rockbox, as shown in the [http://www.rockbox.org/wiki/GraphicalInstall guide] * (Optional) If you want to be able to upgrade Rockbox easily, choose '''File''' -> '''Install Rockbox Utility on player'''. This will copy Rockbox Utility to the root folder of your iPod, so you can run it straight from your player's hard disk later. * Safely eject (or unmount on Linux) your iPod's hard disk drive * Disconnect your iPod from your PC * Wait for Rockbox to return to the main menu (may take around half a minute) * Shut down Rockbox by holding the play button for several seconds Congratulations, you have successfully installed [[emCORE]] and Rockbox! If you don't want to see the bootmenu every time you power on your iPod, you can use '''Tools''' -> '''Settings''' -> '''Fastboot action''' to set a default boot option (e.g. Rockbox) d9a97fb94e8e50990b68d713618ddc5c09164898 0 377 4214 4212 2014-01-02T23:21:46Z User890104 124 wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is mostly complete, and works well. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC 4.4 and GNU Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Installing needed packages on Ubuntu=== sudo apt-get install gcc-4.4 make pkg-config libusb-1.0-0-dev libfuse-dev ===Compiling=== * standard build, no debug messages, only fatal errors on startup are shown. make build/emcorefs * debug build, some debug/error messages are shown. libusb debug messages are enabled, too. make debug You can prefix any of these with CFLAGS="-DDEBUG_USB_PACKETS" in order to have a dump of the usb traffic that's being sent and received. ===Testing=== * test the connection and some basic emCORE functions. useful only to developers. make build/emcore-test ./build/emcore-test ==Running== You need FUSE >= 2.8 installed. (or fuse4x on x64 OS X) Currently tested on Linux (Ubuntu 11.04 x86) and Mac OS X (10.6.8 x64). * Starting: ./build/emcorefs <mountpoint> * Stopping: fusermount -u <mountpoint as seen in /etc/mtab> ==Known bugs/issues== * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Some errors are not handled properly, EIO (Input/output error) is given in cases where there's a more descriptive error message available. Will be fixed in the future. * '''Rename/move in the filesystem itself is currently disabled, since the underlying filesystem call crashes the emCORE kernel.''' Workaround: move the file/dir on another filesystem, then rename it if needed, then move it back. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. * Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. b3722339ba7262d154e0f3850776c4e83d75e7ad 4222 4214 2014-01-29T21:28:20Z User890104 124 add os x umount command wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is mostly complete, and works well. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC 4.4 and GNU Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Installing needed packages on Ubuntu=== sudo apt-get install gcc-4.4 make pkg-config libusb-1.0-0-dev libfuse-dev ===Compiling=== * standard build, no debug messages, only fatal errors on startup are shown. make build/emcorefs * debug build, some debug/error messages are shown. libusb debug messages are enabled, too. make debug You can prefix any of these with CFLAGS="-DDEBUG_USB_PACKETS" in order to have a dump of the usb traffic that's being sent and received. ===Testing=== * test the connection and some basic emCORE functions. useful only to developers. make build/emcore-test ./build/emcore-test ==Running== You need FUSE >= 2.8 installed. (or fuse4x on x64 OS X) Currently tested on Linux (Ubuntu 11.04 x86) and Mac OS X (10.6.8 x64). * Starting: ./build/emcorefs <mountpoint> * Stopping: fusermount -u <mountpoint as seen in /etc/mtab> (on Linux) diskutil unmount <mountpoint as seen in /etc/mtab> (on OS X) ==Known bugs/issues== * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Some errors are not handled properly, EIO (Input/output error) is given in cases where there's a more descriptive error message available. Will be fixed in the future. * '''Rename/move in the filesystem itself is currently disabled, since the underlying filesystem call crashes the emCORE kernel.''' Workaround: move the file/dir on another filesystem, then rename it if needed, then move it back. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. * Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. 4c1e6a995a795da43978a5597906503d3f4b0a77 4230 4222 2014-05-08T13:07:41Z User890104 124 finally remove the requirement for gcc version wikitext text/x-wiki emCOREFS is a FUSE-based filesystem that uses emCORE's Monitor API to provide communication with device's FS. It is mostly complete, and works well. It runs on both Linux and Mac OS X. For communication with the device, this application uses libusb 1.0. ==Building== You need: 1. GCC and GNU Make (Xcode on OS X) 2. pkg-config 3. libusb >= 1.0 4. libfuse >= 2.8 (or fuse4x on x64 OS X) 5. all dependencies of the above ===Installing needed packages on Ubuntu=== sudo apt-get install gcc make pkg-config libusb-1.0-0-dev libfuse-dev ===Compiling=== * standard build, no debug messages, only fatal errors on startup are shown. make build/emcorefs * debug build, some debug/error messages are shown. libusb debug messages are enabled, too. make debug You can prefix any of these with CFLAGS="-DDEBUG_USB_PACKETS" in order to have a dump of the usb traffic that's being sent and received. ===Testing=== * test the connection and some basic emCORE functions. useful only to developers. make build/emcore-test ./build/emcore-test ==Running== You need FUSE >= 2.8 installed. (or fuse4x on x64 OS X) Currently tested on Linux (Ubuntu 11.04 x86) and Mac OS X (10.6.8 x64). * Starting: ./build/emcorefs <mountpoint> * Stopping: fusermount -u <mountpoint as seen in /etc/mtab> (on Linux) diskutil unmount <mountpoint as seen in /etc/mtab> (on OS X) ==Known bugs/issues== * Running FUSE with multithreading breaks file reading because of the way these are implemented on emCORE's side. Workaround: use the "-s" option. * Some errors are not handled properly, EIO (Input/output error) is given in cases where there's a more descriptive error message available. Will be fixed in the future. * '''Rename/move in the filesystem itself is currently disabled, since the underlying filesystem call crashes the emCORE kernel.''' Workaround: move the file/dir on another filesystem, then rename it if needed, then move it back. ==Future plans== * Merge some functions that are doing similar tasks to reduce code duplication. * Return proper error codes in FS operations. ==Bug reporting== Main developer: [[User:User890104|Vencislav "user890104" Atanasov]] How to contact: [[Contact]] ==License terms== emCOREFS is distributed under the same license terms as [[emCORE]]. [[emCORE]] is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. [[emCORE]] is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with [[emCORE]]. If not, see http://www.gnu.org/licenses/. ebaedf01d0d37d6ff749287fd8a9b64636a840bc 0 261 4215 3300 2014-01-28T21:15:44Z User890104 124 Update SVN URLs wikitext text/x-wiki We have a Subversion repository where we store our code for our software projects. == Builds == We have automatic builds of our software. Just head over to http://builds.freemyipod.org/ to download the build you want. == WebSVN == If you just want to browse the SVN, go to http://websvn.freemyipod.org/ == Checkout == If you want to checkout the repository, please use this url: svn://svn.freemyipod.org/ == Commit == If you are a registered developer you need to use this url to checkout and commit: svn+ssh://svn@svn.freemyipod.org/ Developers are authenticated using SSH keys. 5b9e87f7d734442f6acabc20c0ae0d439b970973 0 350 4216 4188 2014-01-28T21:46:33Z User890104 124 finally fix the python versions mess wikitext text/x-wiki * Make sure that you have python 2.6 or newer, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download the following files: # [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] # [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using version 2.6 or 2.7 and that pyusb is installed into that version) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next create a mount point e.g. 'mkdir -p /media/disk' and mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] f195a9898669c6b9044c4a8c99abd33b1714ed89 4217 4216 2014-01-28T21:47:36Z User890104 124 change wording wikitext text/x-wiki * Make sure that you have python 2.6 or newer, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download the following files: # [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] # [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using the version that pyusb is installed into) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next create a mount point e.g. 'mkdir -p /media/disk' and mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] a96f01fb76b3d7634a656bbccb1911bfa799eadb 4264 4217 2016-06-09T01:23:03Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} * Make sure that you have python 2.6 or newer, libusb and [http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/ pyusb >=1.0.0a0] installed * Download the following files: # [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] # [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py] * Download "bootstrap-ipodclassic.dfu" file from the [[emCORE Releases]] page and store it in the same folder * Connect the iPod to the computer * Make sure the hold switch is turned off * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black. * Run: 'sudo python ipoddfu.py bootstrap-ipodclassic-*.dfu' (If you have multiple python versions installed, make sure that you're using the version that pyusb is installed into) Your iPod should now turn on and display "UMSboot." If you run 'sudo fdisk -l' a 64 MB drive will appear without partitions, for example /dev/sdb. Next create a mount point e.g. 'mkdir -p /media/disk' and mount the disk without specifying a file type, e.g. 'sudo mount /dev/sdX /media/disk' where X is the drive letter from the previous step. It's a known issue that Linux might take a long (over 10 min) time to recognize and mount the iPod. If it doesn't (after waiting very long), please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] e5654b04ae0a45cd48d445bd6eaac283c13e4147 0 353 4219 4183 2014-01-28T22:41:28Z User890104 124 add instructions for zadig, that can be used when our tool is compatible with zadig's winusb driver wikitext text/x-wiki * Make sure that you have .NET Framework 3.5 or later installed <!-- * Download [http://zadig.akeo.ie/ Zadig] --> * Download [http://files.freemyipod.org/misc/winusb_driver.zip winusb_driver.zip] and extract it somewhere * Download [http://files.freemyipod.org/targets/iPod%20classic/bootstrap_ipodclassic.exe bootstrap_ipodclassic.exe] as well * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. <!-- * Open Zadig * Select '''Options''' -> '''List All Devices''' * Select '''USB DFU Device''' from the dropdown list. Make sure the USB IDs are: 05AC 1223 * Make sure that '''WinUSB''' is shown in the right box below (above the big button). If not, select it using the small arrow buttons on the right side of the small right box * Click the big button that says '''Install Driver''' or '''Replace Driver''' --> * Wait for Windows to ask you for a driver for this device * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] ee6333abc883db816916bf219f258d5cb241ac3b 4271 4219 2016-06-09T01:24:41Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} * Make sure that you have .NET Framework 3.5 or later installed <!-- * Download [http://zadig.akeo.ie/ Zadig] --> * Download [http://files.freemyipod.org/misc/winusb_driver.zip winusb_driver.zip] and extract it somewhere * Download [http://files.freemyipod.org/targets/iPod%20classic/bootstrap_ipodclassic.exe bootstrap_ipodclassic.exe] as well * Connect your iPod to your computer * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. <!-- * Open Zadig * Select '''Options''' -> '''List All Devices''' * Select '''USB DFU Device''' from the dropdown list. Make sure the USB IDs are: 05AC 1223 * Make sure that '''WinUSB''' is shown in the right box below (above the big button). If not, select it using the small arrow buttons on the right side of the small right box * Click the big button that says '''Install Driver''' or '''Replace Driver''' --> * Wait for Windows to ask you for a driver for this device * Always choose the bottom-most option (don't search on windows update, choose everything manually) until you get to the list of available drivers * Choose "All device types" and click "Next" * Click "Have disk" * Click "Browse" * Navigate to the folder where you extracted the winusb_driver.zip file, and choose the "winusb.inf" file from it * Click "Open" * Click "OK" * Click "Next" * Wait for the driver installation to complete * Run bootstrap_ipodclassic.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] 18f1efd5c65a5208d7bd0ef343751094049d3c9f 0 348 4220 3826 2014-01-28T22:58:37Z User890104 124 wikitext text/x-wiki Which operating system are you using on your computer? * [[EmCORE Installation/iPodClassic/PrepareDFUWin|Windows (XP/Vista/7/8/8.1)]] * [[EmCORE Installation/iPodClassic/UnsupportedOS|An older version of Windows]] * [[EmCORE Installation/iPodClassic/PrepareDFULinux|Linux]] * [[EmCORE Installation/iPodClassic/UnsupportedOS|Mac OS]] * [[EmCORE Installation/iPodClassic/UnsupportedOS|Something else]] b35bd33ee83899c6e4b91c2348961f1572302f2d 4261 4220 2016-06-09T01:21:18Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} Which operating system are you using on your computer? * [[EmCORE Installation/iPodClassic/PrepareDFUWin|Windows (XP/Vista/7/8/8.1)]] * [[EmCORE Installation/iPodClassic/UnsupportedOS|An older version of Windows]] * [[EmCORE Installation/iPodClassic/PrepareDFULinux|Linux]] * [[EmCORE Installation/iPodClassic/UnsupportedOS|Mac OS]] * [[EmCORE Installation/iPodClassic/UnsupportedOS|Something else]] e0de9db1ad46fce766874d26d214629a9258160e 0 352 4221 4205 2014-01-28T22:58:59Z User890104 124 wikitext text/x-wiki * Download [http://files.freemyipod.org/targets/iPod%20classic/bootstrap_ipodclassic_itunes.exe bootstrap_ipodclassic_itunes.exe] * Connect your iPod to your computer * Make sure iTunes is closed * Kill "AppleMobileDeviceService.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Do the same for "iTunesHelper.exe" * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Run bootstrap_ipodclassic_itunes.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] f576b3a3353426ac0843cb3555eb179c7af29624 4267 4221 2016-06-09T01:23:52Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} * Download [http://files.freemyipod.org/targets/iPod%20classic/bootstrap_ipodclassic_itunes.exe bootstrap_ipodclassic_itunes.exe] * Connect your iPod to your computer * Make sure iTunes is closed * Kill "AppleMobileDeviceService.exe" using the task manager ** Open the task manager (press CTRL + SHIFT + ESC) ** Click on the "Processes" tab ** Choose "AppleMobileDeviceService.exe" ** Press the "End Process" button ** Press "End Process" to confirm * Do the same for "iTunesHelper.exe" * Make sure the hold switch is not locked * Press and hold the menu and select buttons for between 10 and 15 seconds - [http://youtu.be/Y_bIDtBohnE click here for a how-to video]. The iPod will show an apple logo after about 5 seconds, keep holding the buttons until it seems to turn off completely The display of your iPod should now stay black, and a new USB device called "Apple Recovery (DFU) USB Driver" should connect to your PC. * Wait for the driver installation to complete * Run bootstrap_ipodclassic_itunes.exe Your iPod should now turn on and connect a 64MB drive called "UMSboot". If it doesn't, please ask for [[Contact|support]]. * [[EmCORE Installation/iPodClassic/UMSboot|Next step]] c7f34164adef884042b77afe490e715d0aaa0f36 0 50 4223 4179 2014-03-27T06:20:20Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Getting started with [[emCORE]]== # Check if your device is supported by the installer. Only [[Nano_2G|iPod Nano 2G]] and iPod Classic [[Classic_1G|1G]]/[[Classic_2G|2G]]/[[Classic_3G|3G]] are supported at the moment. # Follow the [[emCORE_Installation|installation instructions]] if your device is supported. # In case you encounter any bugs, please [[Contact|contact]] us in order to report them. ==Updates== * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] ** [[emCORE Uninstallation]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} f9f569dcbf22724dc35ca4cb7bba467743dfbb0e 4257 4223 2016-06-09T01:18:24Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Installing Rockbox on iPod Classic== emCORE is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] in order to install and run Rockbox on iPod Classic. ==Getting started with [[emCORE]] (DEPRECATED)== # Check if your device is supported by the installer. Only [[Nano_2G|iPod Nano 2G]] and iPod Classic [[Classic_1G|1G]]/[[Classic_2G|2G]]/[[Classic_3G|3G]] are supported at the moment. # Follow the [[emCORE_Installation|installation instructions]] if your device is supported. # In case you encounter any bugs, please [[Contact|contact]] us in order to report them. ==Updates== * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] ** [[emCORE Uninstallation]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 36a87379e8c771aeea42360e57b092e28c98ffc5 4273 4257 2016-06-25T11:50:03Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Installing Rockbox on iPod Classic== emCORE is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] in order to install and run Rockbox on iPod Classic. ==Getting started with [[emCORE]] (DEPRECATED)== # Check if your device is supported by the installer. Only [[Nano_2G|iPod Nano 2G]] and iPod Classic [[Classic_1G|1G]]/[[Classic_2G|2G]]/[[Classic_3G|3G]] are supported at the moment. # Follow the [[emCORE_Installation|installation instructions]] if your device is supported. # In case you encounter any bugs, please [[Contact|contact]] us in order to report them. ==Updates== * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] ** [[emCORE Uninstallation]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} e4e9db7d6402c32c73d39170a34e031141c16560 0 354 4224 3958 2014-04-06T12:30:53Z User890104 124 wikitext text/x-wiki Please choose the option that you feel more comfortable with: * [[EmCORE Installation/iPodClassic/InstalliTunes|Install iTunes' USB drivers]] * [[EmCORE Installation/iPodClassic/DFUNoiTunes|Install a custom device driver for the iPod (advanced users only)]] - <span style="color: red;">not always working at the moment. use the first method if it fails for you</span> 38c6211515631abdf8eff8f652878e36d96f0246 4225 4224 2014-04-06T12:32:17Z User890104 124 wikitext text/x-wiki Please choose the option that you feel more comfortable with: * [[EmCORE Installation/iPodClassic/InstalliTunes|Install iTunes (easy)]] * [[EmCORE Installation/iPodClassic/InstalliTunesDrivers|Install iTunes' USB drivers (a bit complicated)]] * [[EmCORE Installation/iPodClassic/DFUNoiTunes|Install a custom device driver for the iPod (advanced users only)]] - <span style="color: red;">not always working at the moment. use the first method if it fails for you</span> 9539349472641a4bcf7382b301bae0ec44a01c91 4226 4225 2014-04-06T12:33:10Z User890104 124 wikitext text/x-wiki Please choose the option that you feel more comfortable with: * [[EmCORE Installation/iPodClassic/InstalliTunes|Install iTunes (easy)]] * [[EmCORE Installation/iPodClassic/InstalliTunesDrivers|Install only iTunes' USB drivers (a bit complicated)]] - choose this if you don't want to install iTunes and the whole bunch of software it comes with * [[EmCORE Installation/iPodClassic/DFUNoiTunes|Install a custom device driver for the iPod (advanced users only)]] - <span style="color: red;">not always working at the moment. use the first method if it fails for you</span> 240371a88d99339b23efcc0f804526dde58965de 4237 4226 2014-07-25T07:03:01Z User890104 124 wikitext text/x-wiki Please choose the option that you feel more comfortable with: * [[EmCORE Installation/iPodClassic/InstalliTunes|[EASY] Install iTunes]] * [[EmCORE Installation/iPodClassic/InstalliTunesDrivers|[A BIT COMPLICATED] Install only iTunes' USB drivers]] - choose this if you don't want to install iTunes and the whole bunch of software it comes with * [[EmCORE Installation/iPodClassic/DFUNoiTunes|[ADVANCED] Install a custom device driver for the iPod]] - <span style="color: red;">not always working at the moment. use the first method if it fails for you</span> 0b8f486735a7753b5dddc832c012f5220ed9fc3f 4246 4237 2014-09-03T14:07:23Z User890104 124 wikitext text/x-wiki Please choose the option that you feel more comfortable with: * [[EmCORE Installation/iPodClassic/InstalliTunes|[EASY] Install iTunes]] * [[EmCORE Installation/iPodClassic/InstalliTunesDrivers|[A BIT COMPLICATED] Install only iTunes' USB drivers]] - choose this if you don't want to install iTunes and the whole bunch of software it comes with * <s>[[EmCORE Installation/iPodClassic/DFUNoiTunes|[ADVANCED] Install a custom device driver for the iPod]]</s> - <span style="color: red;">not always working at the moment. use the first method if it fails for you</span> adccffc8a69538673a40c35adbda4e5041103c5b 4268 4246 2016-06-09T01:24:10Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} Please choose the option that you feel more comfortable with: * [[EmCORE Installation/iPodClassic/InstalliTunes|[EASY] Install iTunes]] * [[EmCORE Installation/iPodClassic/InstalliTunesDrivers|[A BIT COMPLICATED] Install only iTunes' USB drivers]] - choose this if you don't want to install iTunes and the whole bunch of software it comes with * <s>[[EmCORE Installation/iPodClassic/DFUNoiTunes|[ADVANCED] Install a custom device driver for the iPod]]</s> - <span style="color: red;">not always working at the moment. use the first method if it fails for you</span> 1c1f979b4ab7ebb688c47f20c133867fac62f20b 0 415 4227 2014-04-06T12:43:01Z User890104 124 Created page with "* Go to http://www.apple.com/itunes/download/ and download the installer (for example, to your Desktop), but do not run it * Get the 7-Zip archiver, and install it: http://7-zip...." wikitext text/x-wiki * Go to http://www.apple.com/itunes/download/ and download the installer (for example, to your Desktop), but do not run it * Get the 7-Zip archiver, and install it: http://7-zip.org/download.html * Open 7-Zip, then browse to the Desktop * Right-click the installer, and select '''Open Inside (Ctrl+PgDn)''' * Click on '''AppleMobileDeviceSupport64.msi''', and select '''Copy''' from 7-Zip's toolbar * Select the Desktop as destination * Run the AppleMobileDeviceSupport installer from the Desktop, and let it install If you see a prompt about an Apple service that failed to start, that's OK. Just hit '''Ignore''' * [[EmCORE Installation/iPodClassic/DFUiTunes|Next step]] ''Note: After you complete the installation, you can go to '''Programs and features''', and remove Apple's drivers (order the apps by '''Date installed''' so you can find it easily)'' f01041f971826b2395da4ebbc49892beb13791fd 4239 4227 2014-08-09T19:07:26Z User890104 124 wikitext text/x-wiki * Go to http://www.apple.com/itunes/download/ and download the installer (for example, to your Desktop), but do not run it * Get the 7-Zip archiver, and install it: http://7-zip.org/download.html * Open 7-Zip, then browse to the Desktop * Right-click the installer, and select '''Open Inside (Ctrl+PgDn)''' * Click on '''AppleMobileDeviceSupport64.msi''', and select '''Copy''' from 7-Zip's toolbar * Select the Desktop as destination * Run the AppleMobileDeviceSupport installer from the Desktop, and let it install If you see a prompt about an Apple service that failed to start, that's OK. Just hit '''Ignore''' * [[EmCORE Installation/iPodClassic/DFUiTunes|Next step]] ''Note: After you complete the emCORE installation, you can go to '''Programs and features''', and remove Apple's drivers (order the apps by '''Date installed''' so you can find it easily)'' 02ccd69a7151ce0e17fd0a5e0eee5b63c77fac8c 4270 4239 2016-06-09T01:24:30Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} * Go to http://www.apple.com/itunes/download/ and download the installer (for example, to your Desktop), but do not run it * Get the 7-Zip archiver, and install it: http://7-zip.org/download.html * Open 7-Zip, then browse to the Desktop * Right-click the installer, and select '''Open Inside (Ctrl+PgDn)''' * Click on '''AppleMobileDeviceSupport64.msi''', and select '''Copy''' from 7-Zip's toolbar * Select the Desktop as destination * Run the AppleMobileDeviceSupport installer from the Desktop, and let it install If you see a prompt about an Apple service that failed to start, that's OK. Just hit '''Ignore''' * [[EmCORE Installation/iPodClassic/DFUiTunes|Next step]] ''Note: After you complete the emCORE installation, you can go to '''Programs and features''', and remove Apple's drivers (order the apps by '''Date installed''' so you can find it easily)'' fb1fc94ab2d5ff2fd20ad988b7104e4b50ee0b30 0 343 4228 4202 2014-04-06T13:12:23Z User890104 124 wikitext text/x-wiki Is there already a third party firmware installed on your iPod? (Does it show anything else but an Apple logo during boot?) * [[EmCORE Installation/iPodClassic/ThirdParty|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]] e41f31427d6aa957029cf17f3bbac094e1b6e502 4258 4228 2016-06-09T01:20:34Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} Is there already a third party firmware installed on your iPod? (Does it show anything else but an Apple logo during boot?) * [[EmCORE Installation/iPodClassic/ThirdParty|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]] c92ee261d446d7dba757dd6d553825576d2a9f6f 8 260 4229 3574 2014-05-08T13:05:27Z User890104 124 add recent software to sidebar wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Software ** iLoader|iLoader ** iBugger|iBugger ** emBIOS|emBIOS ** emCORE|emCORE ** emCOREFS|emCOREFS * Basic skills ** Working with binaries|Working with binaries ** Dumping firmware|Dumping firmware ** Extracting firmware|Extracting firmware * Reverse engineering Results ** Firmware|Firmware ** Firmware decryption|Firmware decryption ** GUID table|GUID Table ** Nano 2G *** Nano 2G Clock Gates|Nano 2G Clock Gates *** Nano2G LCD init|Nano2G LCD init *** Nano2G FTL|Nano2G FTL ** Nano 4G *** Nano4G firmware upgrade process|Nano4G firmware upgrade process * Exploiting ** Pwnage 2.0|Pwnage 2.0 ** Notes vulnerability|Notes vulnerability * Hardware ** Hardware|Hardware ** Chronology|Chronology ** S5L8700 datasheet|S5L8700 datasheet * Other Guides ** MPEG movies|MPEG movies ** Modes|Modes * TOOLBOX * LANGUAGES bea4a30ee139b2ac7dedeb24e5d4f72d4dbc3450 0 297 4231 3597 2014-05-08T13:13:09Z User890104 124 clarification about EP0 USB debugging wikitext text/x-wiki This article describes the USB communcation protocol of emCORE monitor. == Endpoints == {{Template:Outdated|reason=since [http://websvn.freemyipod.org/revision.php?repname=freemyipod&path=%2F&rev=891 r891] emCORE uses only EP0 for debugging, the rest are used by the usermode USB API}} The emCORE Monitor interface contains 4 bulk endpoints, in the following order: * Command OUT Endpoint * Command IN Endpoint * Data OUT Endpoint * Data IN Endpoint If not stated otherwise, everything is little endian. == General Structure == Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header. After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command. {| class="wikitable prettytable" |+ Status Codes |- ! Status Code !! Description |- | style="text-align:right" | 0 || Invalid response, you should bail out when receiving this |- | style="text-align:right" | 1 || OK (everything went fine) |- | style="text-align:right" | 2 || Command not supported |- | style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running) |- |} == Commands == === 0: Invalid === Never issue this command. It will be rejected with status code 2. === 1: Get device information === Use this command to figure out various device properties. ==== Get version information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number |- | style="text-align:right" | 8 || style="text-align:right" | 1 || Major version |- | style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version |- | style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version |- | style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID |- |} {| class="wikitable prettytable" |+ Software Types |- ! Software Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 2 || emCORE Debugger |- |} {| class="wikitable prettytable" |+ Hardware Types |- ! Device Type ID !! Description |- | style="text-align:right" | 0 || invalid |- | style="text-align:right" | 0x47324e49 || iPod Nano 2G |- | style="text-align:right" | 0x47334e49 || iPod Nano 3G |- | style="text-align:right" | 0x47344e49 || iPod Nano 4G |- | style="text-align:right" | 0x4c435049 || iPod Classic |- |} ==== Get packet size information ==== {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size |- |} ==== Get user memory address range ==== Provides information about the range of memory not used by emCORE itself. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- |} === 2: Reset === Reboot the device. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots. === 3: Power off === Power the device off. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} Both variants are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off. === 4: Read memory === Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory |- |} === 5: Write memory === Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 6: Read memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, read the requested data from the Data IN Endpoint. === 7: Write memory using DMA === Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} After receiving the response, send the data to be written to the Data OUT Endpoint. === 8: Read from I2C device === Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1) |- |} === 9: Write to I2C device === Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index |- | style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits) |- | style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device |- | style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written (0 means 256) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device |- |} I2C transactions are asynchronous commands. {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 10: Read from the USB console === Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer |- | style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size |- |} === 11: Write to the USB console === Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer |- |} === 12: Write to device's consoles === Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- | style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 13: Read from device's consoles === Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size |- |} === 14: Flush device's console buffers === Use this command to flush one or more console's buffers. This is equivalent to the cflush system call. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 15: Get process information === Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes) |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined |- | style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds |- |} === 16: (Un)Freeze scheduler === Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 17: (Un)Suspend thread === Suspend or resume a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |} === 18: Kill thread === Kill a thread {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 19: Create thread === Create a new thread. This command uses an extended command size of 32 bytes. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread |- | style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes |- | style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1) |- | style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255) |- | style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative) |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 20: Flush CPU caches === Flushes the CPU's instruction and data caches {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 21: Execute image === Executes an emCORE executable image. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success. |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined |- |} === 22: Read raw boot flash === Reads raw data from the boot flash to RAM. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 23: Write raw boot flash === Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width) |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 24: Execute firmware === Executes a firmware image at the specified address. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located |- | style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 25: Hardware key AES === Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25) |- | style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1) |- | style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero |- | style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} === 26: HMAC-SHA1 === Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command. {| class="wikitable prettytable" |+ Command Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26) |- | style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed |- | style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed |- | style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored |- |} {| class="wikitable prettytable" |+ Response Packet |- ! Offset !! Size (bytes) !! Description |- | style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1) |- | style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined |- |} 5dba5f80985ab419ced3138c7203bf8a6c98f760 0 416 4247 2015-02-08T20:22:26Z User890104 124 Created page with "Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firm..." wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Files needed= * Zadig * Python + pyusb + libusb * ipoddfu.py * libipoddfu.py * ipodscsi =Overview of the procedure= # You put the ipod into DFU mode # You install a custom driver to that device, so ipoddfu can talk to it (exploit a bootrom vulnarability, to be exact) # You install Python and pyusb # You send the first stage of the restore firmware (called "DFU") to the ipod using ipoddfu # The ipod reconnects with a different USB IDs # You install a custom driver for the new USB device # You send the second stage of the restore firmware (called "WTF") to the ipod using ipoddfu # The ipod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the ipod - all these three at once using ipodscsi # Your ipod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= ==Putting the ipod into DFU mode== # Get an USB-to-iPod cable. # Connect it to your computer. # Get your ipod. # Lock the HOLD switch, then unlock it after a second. # Connect the USB cable to the ipod. # During the next two steps, disregard what happens on the ipod's screen, just do what we ask you to. # Hold down MENU+SELECT, and count to 12. # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Installing a custom DFU driver== # Download [http://zadig.akeo.ie/ Zadig] # Open Zadig # Click menu Options -> List all devices # Select USB DFU Device (the first box of USB ID should be 05AC, the second one depends on the ipod model - 1223 for iPod Classic) # From the options to the right of the green arrow, select libusb-win32 # Click the large button named Install driver or Replace driver or Reinstall driver (depending on what driver you have installed at the moment) # Wait for Zadig to complete the installation. # You're ready for the next step ==Uploading the first restore stage (DFU)== # Press the Start menu button # Type cmd and Press Enter # In the black window that opens, type cd Desktop and press Enter (in case your Windows installation is localized, type the name of your desktop folder in your language instead) # Download this file to your Desktop: [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] (Right-click, then choose Save link as...) # And this one, too: [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py], make sure you also put it there # Another one, this time from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server) # Go to your desktop, and rename the ipsw file to zip # Use your favourite tool to extract the zip, WinZip, WinRAR and 7-zip will do it well, even Windows' integrated ZIP extractor will do. # Open the extracted folder, and go to Firmware\dfu. There should be a file named WTF.x1223.RELEASE.dfu there. Copy it to the desktop. # Back in the black window, type: python ipoddfu.py WTF.x1223.RELEASE.dfu and press Enter. You should see the following output: Connected to S5L8702 Bootrom DFU mode, USB version 1 Upload: ................... done If you see something different, stop here. Otherwise, go ahead. ==Installing a custom WTF driver== # It's the same as the previous driver install, this time the device is named iPod Recovery and the second ID is 1241 for Classic 1G, 1245 for Classic 2G or 1247 for Classic 3G # Complete the installation, and move to the next step ==Uploading the second restore stage (WTF)== # "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. # Download one of the following files, depending on your iPod model. You can tell it from the USB ID in the previous step. ## For Classic 1G (USB ID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw] ## For Classic 2G (USB ID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw] ## For Classic 3G (USB ID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw] # As before, rename it to zip and extract it. # Go inside the folder Firmware/dfu, and copy the file to your desktop. It should be named FIRMWARE.x****.RELEASE.dfu where **** is the USB ID of your ipod at the moment. # Repeat the previous ipoddfu command, but this time using the name of the file you just copied. For example: python ipoddfu.py FIRMWARE.x1245.RELEASE.dfu and press Enter. You should see the following output: 62abd49c81aa13efe448134dfdcd3d6ca49a0866 4248 4247 2015-02-08T21:38:30Z User890104 124 wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Files needed= * Zadig * Python + pyusb + libusb * ipoddfu.py * libipoddfu.py * ipodscsi =Overview of the procedure= # You put the ipod into DFU mode # You install a custom driver to that device, so ipoddfu can talk to it (exploit a bootrom vulnarability, to be exact) # You install Python and pyusb # You send the first stage of the restore firmware (called "DFU") to the ipod using ipoddfu # The ipod reconnects with a different USB IDs # You install a custom driver for the new USB device # You send the second stage of the restore firmware (called "WTF") to the ipod using ipoddfu # The ipod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the ipod - all these three at once using ipodscsi # Your ipod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= ==Putting the ipod into DFU mode== # Get an USB-to-iPod cable. # Connect it to your computer. # Get your ipod. # Lock the HOLD switch, then unlock it after a second. # Connect the USB cable to the ipod. # During the next two steps, disregard what happens on the ipod's screen, just do what we ask you to. # Hold down MENU+SELECT, and count to 12. # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Installing a custom DFU driver== # Download [http://zadig.akeo.ie/ Zadig] # Open Zadig # Click menu Options -> List all devices # Select USB DFU Device (the first box of USB ID should be 05AC, the second one depends on the ipod model - 1223 for iPod Classic) # From the options to the right of the green arrow, select libusb-win32 # Click the large button named Install driver or Replace driver or Reinstall driver (depending on what driver you have installed at the moment) # Wait for Zadig to complete the installation. # You're ready for the next step ==Uploading the first restore stage (DFU)== # Press the Start menu button # Type cmd and Press Enter # In the black window that opens, type cd Desktop and press Enter (in case your Windows installation is localized, type the name of your desktop folder in your language instead) # Download this file to your Desktop: [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] (Right-click, then choose Save link as...) # And this one, too: [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py], make sure you also put it there # Another one, this time from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server) # Go to your desktop, and rename the ipsw file to zip # Use your favourite tool to extract the zip, WinZip, WinRAR and 7-zip will do it well, even Windows' integrated ZIP extractor will do. # Open the extracted folder, and go to Firmware\dfu. There should be a file named WTF.x1223.RELEASE.dfu there. Copy it to the desktop. # Back in the black window, type: (or copy/paste) python ipoddfu.py WTF.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to S5L8702 Bootrom DFU mode, USB version 1 Upload: ................... done If you see something different, stop here. Otherwise, go ahead. ==Installing a custom WTF driver== # It's the same as the previous driver install, this time the device is named iPod Recovery and the second ID is 1241 for Classic 1G, 1245 for Classic 2G or 1247 for Classic 3G # Complete the installation, and move to the next step ==Uploading the second restore stage (WTF)== # "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. # Download one of the following files, depending on your iPod model. You can tell it from the USB ID in the previous step. ## For Classic 1G (USB ID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw] ## For Classic 2G (USB ID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw] ## For Classic 3G (USB ID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw] # As before, rename it to zip and extract it. # Go inside the folder Firmware/dfu, and copy the file to your desktop. It should be named FIRMWARE.x****.RELEASE.dfu where **** is the USB ID of your ipod at the moment. # Type this command: python ipoddfu.py FIRMWARE.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to iPod Classic 2G WTF mode, USB version 1 Upload: ........................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ............... done After 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text Do not disconnect at the bottom. Windows might want to reformat it, say No if it does. Continue to the next step. ==Final step: Install Apple's firmware== # You're almost there. Go to [http://www.felixbruns.de/iPod/firmware/] and download the latest firmware for your iPod model. # As you might have guessed, you need to rename the ipsw to zip, and extract it. # In that folder, you'll find a file named Firmware-XX-X.X.X. Copy it to the desktop. # Download [http://files.freemyipod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop. # Open Windows Explorer, and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. F:) # Open the black window, and type: ipodscsi F: ipod6g writefirmware -p -r Firmware-* You should see: iPodSCSI v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven) This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Repartitioning... done Initiating firmware transfer... done Writing firmware................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...... done Rebooting device... done Your ipod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware. It should be safe to format it at this point. Use FAT32 as filesystem. Windows isn't going to allow you format large devices with FAT32, so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice. Then use iTunes to manage your music/videos. Or [[EmCORE_Installation|install emCORE]]. Enjoy your unbricked ipod! =Related info= * [[Modes|USB Modes of iPods]] * [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]] * [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)] * [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple] de12f11e4d50371da2d9283ba7d51bbc7fe08aa2 4249 4248 2015-02-08T21:39:12Z User890104 124 wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Files needed= * Zadig * Python + pyusb + libusb * ipoddfu.py * libipoddfu.py * ipodscsi =Overview of the procedure= # You put the ipod into DFU mode # You install a custom driver to that device, so ipoddfu can talk to it (exploit a bootrom vulnarability, to be exact) # You install Python and pyusb # You send the first stage of the restore firmware (called "DFU") to the ipod using ipoddfu # The ipod reconnects with a different USB IDs # You install a custom driver for the new USB device # You send the second stage of the restore firmware (called "WTF") to the ipod using ipoddfu # The ipod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the ipod - all these three at once using ipodscsi # Your ipod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= ==Putting the ipod into DFU mode== # Get an USB-to-iPod cable. # Connect it to your computer. # Get your ipod. # Lock the HOLD switch, then unlock it after a second. # Connect the USB cable to the ipod. # During the next two steps, disregard what happens on the ipod's screen, just do what we ask you to. # Hold down MENU+SELECT, and count to 12. # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Installing a custom DFU driver== # Download [http://zadig.akeo.ie/ Zadig] # Open Zadig # Click menu Options -> List all devices # Select USB DFU Device (the first box of USB ID should be 05AC, the second one depends on the ipod model - 1223 for iPod Classic) # From the options to the right of the green arrow, select libusb-win32 # Click the large button named Install driver or Replace driver or Reinstall driver (depending on what driver you have installed at the moment) # Wait for Zadig to complete the installation. # You're ready for the next step ==Uploading the first restore stage (DFU)== # Press the Start menu button # Type cmd and Press Enter # In the black window that opens, type cd Desktop and press Enter (in case your Windows installation is localized, type the name of your desktop folder in your language instead) # Download this file to your Desktop: [http://svn.freemyipod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] (Right-click, then choose Save link as...) # And this one, too: [http://svn.freemyipod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py], make sure you also put it there # Another one, this time from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server) # Go to your desktop, and rename the ipsw file to zip # Use your favourite tool to extract the zip, WinZip, WinRAR and 7-zip will do it well, even Windows' integrated ZIP extractor will do. # Open the extracted folder, and go to Firmware\dfu. There should be a file named WTF.x1223.RELEASE.dfu there. Copy it to the desktop. # Back in the black window, type: (or copy/paste) python ipoddfu.py WTF.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to S5L8702 Bootrom DFU mode, USB version 1 Upload: ................... done If you see something different, stop here. Otherwise, go ahead. ==Installing a custom WTF driver== # It's the same as the previous driver install, this time the device is named iPod Recovery and the second ID is 1241 for Classic 1G, 1245 for Classic 2G or 1247 for Classic 3G # Complete the installation, and move to the next step ==Uploading the second restore stage (WTF)== # "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. # Download one of the following files, depending on your iPod model. You can tell it from the USB ID in the previous step. ## For Classic 1G (USB ID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw] ## For Classic 2G (USB ID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw] ## For Classic 3G (USB ID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw] # As before, rename it to zip and extract it. # Go inside the folder Firmware/dfu, and copy the file to your desktop. It should be named FIRMWARE.x****.RELEASE.dfu where **** is the USB ID of your ipod at the moment. # Type this command: python ipoddfu.py FIRMWARE.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to iPod Classic 2G WTF mode, USB version 1 Upload: ........................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ............... done After 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text Do not disconnect at the bottom. Windows might want to reformat it, say No if it does. Continue to the next step. ==Final step: Install Apple's firmware== # You're almost there. Go to http://www.felixbruns.de/iPod/firmware/ and download the latest firmware for your iPod model. # As you might have guessed, you need to rename the ipsw to zip, and extract it. # In that folder, you'll find a file named Firmware-XX-X.X.X. Copy it to the desktop. # Download [http://files.freemyipod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop. # Open Windows Explorer, and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. F:) # Open the black window, and type: ipodscsi F: ipod6g writefirmware -p -r Firmware-* You should see: iPodSCSI v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven) This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Repartitioning... done Initiating firmware transfer... done Writing firmware................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...... done Rebooting device... done Your ipod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware. It should be safe to format it at this point. Use FAT32 as filesystem. Windows isn't going to allow you format large devices with FAT32, so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice. Then use iTunes to manage your music/videos. Or [[EmCORE_Installation|install emCORE]]. Enjoy your unbricked ipod! =Related info= * [[Modes|USB Modes of iPods]] * [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]] * [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)] * [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple] 3314131a09d20acbe321531c838297e04febf609 4250 4249 2015-02-08T21:56:31Z User890104 124 wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =The standard disclaimer= '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Continue reading only if your agree. =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Files needed= * Zadig * Python + pyusb + libusb * ipoddfu.py * libipoddfu.py * ipodscsi =Overview of the procedure= # You put the iPod into DFU mode # You install a custom driver to that device, so ipoddfu can talk to it (exploit a bootrom vulnarability, to be exact) # You install Python and pyusb # You send the first stage of the restore firmware (called "DFU") to the iPod using ipoddfu # The iPod reconnects with a different USB IDs # You install a custom driver for the new USB device # You send the second stage of the restore firmware (called "WTF") to the iPod using ipoddfu # The iPod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the iPod - all these three at once using ipodscsi # Your iPod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= There's a video of what you see on your computer during the whole procedure. At some point, I messed up the arguments of ipodscsi, so I tried again. Sorry about that. Link to the video: https://www.youtube.com/watch?v=IEz0cCDBqnQ ==Putting the iPod into DFU mode== # Get an USB-to-iPod cable. # Connect it to your computer. # Get your iPod. # Lock the '''HOLD''' switch, then unlock it after a second. # Connect the USB cable to the iPod. # During the next two steps, disregard what happens on the iPod's screen, just do what we ask you to. # Hold down '''MENU''' + '''SELECT''' (the center button), and count to 12. # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Installing a custom DFU driver== # Download [http://zadig.akeo.ie/ Zadig] # Open '''Zadig''' # Click menu '''Options''' -> '''List all devices''' # Select USB DFU Device (the first box of USB ID should be '''05AC''', the second one depends on the iPod model - '''1223''' for iPod Classic) # From the options to the right of the green arrow, select '''libusb-win32''' # Click the large button named '''Install driver''' or '''Replace driver''' or '''Reinstall driver''' (depending on what driver you have installed at the moment) # Wait for Zadig to complete the installation. # You're ready for the next step ==Uploading the first restore stage (DFU)== # Press the Start menu button # Type '''cmd''' and press '''Enter''' # In the black window that opens, type '''cd Desktop''' and press '''Enter''' (in case your Windows installation is localized, type the name of your desktop folder in your language instead) # Download this file to your Desktop: [http://svn.freemyiPod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] (Right-click, then choose Save link as...) # And this one, too: [http://svn.freemyiPod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py], make sure you also put it there # Another one, this time from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server) # Go to your desktop, and rename the '''ipsw''' file to '''zip''' # Use your favourite tool to extract the zip, '''WinZip''', '''WinRAR''' and '''7-zip''' will do it well, even Windows' integrated ZIP extractor will do. # Open the extracted folder, and go to '''Firmware''' -> '''dfu'''. There should be a file named '''WTF.x1223.RELEASE.dfu''' there. Copy it to the desktop. # Back in the black window, type: (or copy/paste) python ipoddfu.py WTF.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to S5L8702 Bootrom DFU mode, USB version 1 Upload: ................... done If you see something different, stop here. Otherwise, go ahead. ==Installing a custom WTF driver== # It's the same as the previous driver install, this time the device is named iPod Recovery and the second ID is '''1241''' for Classic 1G, '''1245''' for Classic 2G or '''1247''' for Classic 3G # Complete the installation, and move to the next step ==Uploading the second restore stage (WTF)== # "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. # Download one of the following files, depending on your iPod model. You can tell it from the USB ID in the previous step. ## For '''Classic 1G''' (USB ID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw] ## For '''Classic 2G''' (USB ID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw] ## For '''Classic 3G''' (USB ID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw] # As before, rename it to zip and extract it. # Go inside the folder '''Firmware''' -> '''dfu''', and copy the file to your desktop. It should be named '''FIRMWARE.x****.RELEASE.dfu''' where **** is the USB ID of your iPod at the moment. # Type this command: python ipoddfu.py FIRMWARE.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to iPod Classic 2G WTF mode, USB version 1 Upload: ........................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ............... done After 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text '''Do not disconnect''' at the bottom. Windows might want to reformat it, say '''No''' if it does. Continue to the next step. ==Final step: Install Apple's firmware== # You're almost there. Go to http://www.felixbruns.de/iPod/firmware/ and download the latest firmware for your iPod model. # As you might have guessed, you need to rename the '''ipsw''' to '''zip''', and extract it. # In that folder, you'll find a file named '''Firmware-XX-X.X.X''' (X's depending on the model and version). Copy it to the desktop. # Download [http://files.freemyiPod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop. # Open '''Windows Explorer''', and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. '''F:''') # Open the black window, and type: ipodscsi F: iPod6g writefirmware -p -r Firmware-* You should see: ipodscsi v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven) This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Repartitioning... done Initiating firmware transfer... done Writing firmware................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...... done Rebooting device... done Your iPod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware. It should be safe to format it at this point. Use '''FAT32''' as filesystem. Windows isn't going to allow you format large devices with '''FAT32''', so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice. Then use iTunes to manage your music/videos. Or [[EmCORE_Installation|install emCORE]]. Enjoy your unbricked iPod! =Related info= * [[Modes|USB Modes of iPods]] * [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]] * [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)] * [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple] 3cc31d09cea86928dc985bb1fb9e6bf643606fc1 4252 4250 2015-02-08T21:58:46Z User890104 124 wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =The standard disclaimer= '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Continue reading only if your agree. =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Files needed= * Zadig * Python + pyusb + libusb * ipoddfu.py * libipoddfu.py * ipodscsi =Overview of the procedure= # You put the iPod into DFU mode # You install a custom driver to that device, so ipoddfu can talk to it (exploit a bootrom vulnarability, to be exact) # You install Python and pyusb # You send the first stage of the restore firmware (called "DFU") to the iPod using ipoddfu # The iPod reconnects with a different USB IDs # You install a custom driver for the new USB device # You send the second stage of the restore firmware (called "WTF") to the iPod using ipoddfu # The iPod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the iPod - all these three at once using ipodscsi # Your iPod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= There's a video of what you see on your computer during the whole procedure. At some point, I messed up the arguments of ipodscsi, so I tried again. Sorry about that. Link to the video: https://www.youtube.com/watch?v=IEz0cCDBqnQ ==Putting the iPod into DFU mode== # Get an USB-to-iPod cable. # Connect it to your computer. # Get your iPod. # Lock the '''HOLD''' switch, then unlock it after a second. # Connect the USB cable to the iPod. # During the next two steps, disregard what happens on the iPod's screen, just do what we ask you to. # Hold down '''MENU''' + '''SELECT''' (the center button), and count to 12. # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Installing a custom DFU driver== # Download [http://zadig.akeo.ie/ Zadig] # Open '''Zadig''' # Click menu '''Options''' -> '''List all devices''' # Select USB DFU Device (the first box of USB ID should be '''05AC''', the second one depends on the iPod model - '''1223''' for iPod Classic) # From the options to the right of the green arrow, select '''libusb-win32''' # Click the large button named '''Install driver''' or '''Replace driver''' or '''Reinstall driver''' (depending on what driver you have installed at the moment) # Wait for Zadig to complete the installation. # You're ready for the next step ==Uploading the first restore stage (DFU)== # Press the Start menu button # Type '''cmd''' and press '''Enter''' # In the black window that opens, type '''cd Desktop''' and press '''Enter''' (in case your Windows installation is localized, type the name of your desktop folder in your language instead) # Download this file to your Desktop: [http://svn.freemyiPod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] (Right-click, then choose Save link as...) # And this one, too: [http://svn.freemyiPod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py], make sure you also put it there # Another one, this time from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server) # Go to your desktop, and rename the '''ipsw''' file to '''zip''' # Use your favourite tool to extract the zip, '''WinZip''', '''WinRAR''' and '''7-zip''' will do it well, even Windows' integrated ZIP extractor will do. # Open the extracted folder, and go to '''Firmware''' -> '''dfu'''. There should be a file named '''WTF.x1223.RELEASE.dfu''' there. Copy it to the desktop. # Back in the black window, type: (or copy/paste) python ipoddfu.py WTF.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to S5L8702 Bootrom DFU mode, USB version 1 Upload: ................... done If you see something different, stop here. Otherwise, go ahead. ==Installing a custom WTF driver== # It's the same as the previous driver install, this time the device is named iPod Recovery and the second ID is '''1241''' for Classic 1G, '''1245''' for Classic 2G or '''1247''' for Classic 3G # Complete the installation, and move to the next step ==Uploading the second restore stage (WTF)== # "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. # Download one of the following files, depending on your iPod model. You can tell it from the USB ID in the previous step. ## For '''Classic 1G''' (USB ID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw] ## For '''Classic 2G''' (USB ID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw] ## For '''Classic 3G''' (USB ID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw] # As before, rename it to zip and extract it. # Go inside the folder '''Firmware''' -> '''dfu''', and copy the file to your desktop. It should be named '''FIRMWARE.x****.RELEASE.dfu''' where **** is the USB ID of your iPod at the moment. # Type this command: python ipoddfu.py FIRMWARE.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to iPod Classic 2G WTF mode, USB version 1 Upload: ........................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ............... done After 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text '''Do not disconnect''' at the bottom. Windows might want to reformat it, say '''No''' if it does. Continue to the next step. ==Final step: Install Apple's firmware== # You're almost there. Go to http://www.felixbruns.de/iPod/firmware/ and download the latest firmware for your iPod model. # As you might have guessed, you need to rename the '''ipsw''' to '''zip''', and extract it. # In that folder, you'll find a file named '''Firmware-XX-X.X.X''' (X's depending on the model and version). Copy it to the desktop. # Download [http://files.freemyiPod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop. # Open '''Windows Explorer''', and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. '''F:''') # Open the black window, and type: ipodscsi F: iPod6g writefirmware -p -r Firmware-* You should see: ipodscsi v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven) This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Repartitioning... done Initiating firmware transfer... done Writing firmware................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...... done Rebooting device... done Your iPod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware. It should be safe to format it at this point. Use '''FAT32''' as filesystem. Windows isn't going to allow you format large devices with '''FAT32''', so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice. Then use iTunes to manage your music/videos. Or [[EmCORE_Installation|install emCORE]]. Enjoy your unbricked iPod! =Related info= * [[Modes|USB Modes of iPods]] * [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]] * [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)] * [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple (warning - very large file)] 737359cf9310c548ef003a2c291ad3b7405030c2 4253 4252 2015-02-08T22:06:00Z User890104 124 wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =The standard disclaimer= '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Continue reading only if your agree. =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Files needed= * Zadig * Python + pyusb + libusb * ipoddfu.py * libipoddfu.py * ipodscsi =Overview of the procedure= # You put the iPod into DFU mode # You install a custom driver to that device, so ipoddfu can talk to it # You install Python and pyusb # You send the first stage of the restore firmware (called "WTF") to the iPod using ipoddfu # The iPod reconnects with a different USB IDs # You install a custom driver for the new USB device # You send the second stage of the restore firmware (called "FIRMWARE") to the iPod using ipoddfu # The iPod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the iPod - all these three at once using ipodscsi # Your iPod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= There's a video of what you see on your computer during the whole procedure. At some point, I messed up the arguments of ipodscsi, so I tried again. Sorry about that. Link to the video: https://www.youtube.com/watch?v=IEz0cCDBqnQ ==Putting the iPod into DFU mode== # Get an USB-to-iPod cable. # Connect it to your computer. # Get your iPod. # Lock the '''HOLD''' switch, then unlock it after a second. # Connect the USB cable to the iPod. # During the next two steps, disregard what happens on the iPod's screen, just do what we ask you to. # Hold down '''MENU''' + '''SELECT''' (the center button), and count to 12. # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Installing a custom DFU driver== # Download [http://zadig.akeo.ie/ Zadig] # Open '''Zadig''' # Click menu '''Options''' -> '''List all devices''' # Select USB DFU Device (the first box of USB ID should be '''05AC''', the second one depends on the iPod model - '''1223''' for iPod Classic) # From the options to the right of the green arrow, select '''libusb-win32''' # Click the large button named '''Install driver''' or '''Replace driver''' or '''Reinstall driver''' (depending on what driver you have installed at the moment) # Wait for Zadig to complete the installation. # You're ready for the next step ==Uploading the first restore stage (WTF)== # "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. # Press the Start menu button # Type '''cmd''' and press '''Enter''' # In the black window that opens, type '''cd Desktop''' and press '''Enter''' (in case your Windows installation is localized, type the name of your desktop folder in your language instead) # Download this file to your Desktop: [http://svn.freemyiPod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] (Right-click, then choose Save link as...) # And this one, too: [http://svn.freemyiPod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py], make sure you also put it there # Another one, this time from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server) # Go to your desktop, and rename the '''ipsw''' file to '''zip''' # Use your favourite tool to extract the zip, '''WinZip''', '''WinRAR''' and '''7-zip''' will do it well, even Windows' integrated ZIP extractor will do. # Open the extracted folder, and go to '''Firmware''' -> '''dfu'''. There should be a file named '''WTF.x1223.RELEASE.dfu''' there. Copy it to the desktop. # Back in the black window, type: (or copy/paste) python ipoddfu.py WTF.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to S5L8702 Bootrom DFU mode, USB version 1 Upload: ................... done If you see something different, stop here. Otherwise, go ahead. ==Installing a custom WTF driver== # It's the same as the previous driver install, this time the device is named iPod Recovery and the second ID is '''1241''' for Classic 1G, '''1245''' for Classic 2G or '''1247''' for Classic 3G # Complete the installation, and move to the next step ==Uploading the second restore stage (FIRMWARE)== # Download one of the following files, depending on your iPod model. You can tell it from the USB ID in the previous step. ## For '''Classic 1G''' (USB ID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw] ## For '''Classic 2G''' (USB ID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw] ## For '''Classic 3G''' (USB ID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw] # As before, rename it to zip and extract it. # Go inside the folder '''Firmware''' -> '''dfu''', and copy the file to your desktop. It should be named '''FIRMWARE.x****.RELEASE.dfu''' where **** is the USB ID of your iPod at the moment. # Type this command: python ipoddfu.py FIRMWARE.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to iPod Classic 2G WTF mode, USB version 1 Upload: ........................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ............... done After 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text '''Do not disconnect''' at the bottom. Windows might want to reformat it, say '''No''' if it does. Continue to the next step. ==Final step: Install Apple's firmware== # You're almost there. Go to http://www.felixbruns.de/iPod/firmware/ and download the latest firmware for your iPod model. # As you might have guessed, you need to rename the '''ipsw''' to '''zip''', and extract it. # In that folder, you'll find a file named '''Firmware-XX-X.X.X''' (X's depending on the model and version). Copy it to the desktop. # Download [http://files.freemyiPod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop. # Open '''Windows Explorer''', and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. '''F:''') # Open the black window, and type: ipodscsi F: ipod6g writefirmware -p -r Firmware-* You should see: ipodscsi v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven) This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Repartitioning... done Initiating firmware transfer... done Writing firmware................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...... done Rebooting device... done Your iPod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware. It should be safe to format it at this point. Use '''FAT32''' as filesystem. Windows isn't going to allow you format large devices with '''FAT32''', so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice. Then use iTunes to manage your music/videos. Or [[EmCORE_Installation|install emCORE]]. Enjoy your unbricked iPod! =Related info= * [[Modes|USB Modes of iPods]] * [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]] * [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)] * [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple (warning - very large file)] d3d2813c22f882e4417afe24ae57f16083f0477e 4254 4253 2015-02-08T22:15:35Z User890104 124 wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =The standard disclaimer= '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Continue reading only if your agree. =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Files needed= * Zadig * Python + pyusb + libusb * ipoddfu.py * libipoddfu.py * ipodscsi =Overview of the procedure= # You put the iPod into DFU mode # You install a custom driver to that device, so ipoddfu can talk to it # You install Python and pyusb # You send the first stage of the restore firmware (called "WTF") to the iPod using ipoddfu # The iPod reconnects with a different USB IDs # You install a custom driver for the new USB device # You send the second stage of the restore firmware (called "FIRMWARE") to the iPod using ipoddfu # The iPod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the iPod - all these three at once using ipodscsi # Your iPod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= There's a video of what you see on your computer during the whole procedure. At some point, I messed up the arguments of ipodscsi, so I tried again. Sorry about that. Link to the video: https://www.youtube.com/watch?v=IEz0cCDBqnQ ==Putting the iPod into DFU mode== # Get an USB to iPod dock cable. # Connect it to your computer. # Get your iPod. # Lock the '''HOLD''' switch, then unlock it after a second. # Connect the USB cable to the iPod. # During the next two steps, disregard what happens on the iPod's screen, just do what we ask you to. # Hold down '''MENU''' + '''SELECT''' (the center button) for 12 seconds (count to 12, just to be sure that your timing is right). # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Installing a custom DFU driver== # Download [http://zadig.akeo.ie/ Zadig]. # Open '''Zadig'''. # Click menu '''Options''' -> '''List all devices'''. # Select USB DFU Device (the first box of USB ID should be '''05AC''', the second one depends on the iPod model - '''1223''' for iPod Classic) # Make sure that the selector to the right of the green arrow shows '''WinUSB''', and change it if it doesn't. # Click the large button named '''Install driver''' or '''Replace driver''' or '''Reinstall driver''' (depending on what driver you have installed at the moment). # Wait for Zadig to complete the installation. # You're ready for the next step. ==Uploading the first restore stage (WTF)== # "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. # Press the Start menu button. # Type '''cmd''' and press '''Enter'''. # In the black window that opens, type '''cd Desktop''' and press '''Enter'''. # Download this file to your Desktop: [http://svn.freemyiPod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] (Right-click, then choose Save link as...). # And this one, too: [http://svn.freemyiPod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py], make sure you also put it there. # Another one, this time from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server). # Go to your desktop, and rename the '''ipsw''' file to '''zip'''. # Use your favourite tool to extract the zip, '''WinZip''', '''WinRAR''' and '''7-zip''' will do it well, even Windows' integrated ZIP extractor will do. # Open the extracted folder, and go to '''Firmware''' -> '''dfu'''. There should be a file named '''WTF.x1223.RELEASE.dfu''' there. Copy it to the desktop. # Back in the black window, type: (or copy/paste) python ipoddfu.py WTF.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to S5L8702 Bootrom DFU mode, USB version 1 Upload: ................... done If you see something different, stop here. Otherwise, go ahead. ==Installing a custom WTF driver== # It's the same as the previous driver install, this time the device is named iPod Recovery and the second ID is '''1241''' for Classic 1G, '''1245''' for Classic 2G or '''1247''' for Classic 3G. # Complete the installation, and move to the next step. ==Uploading the second restore stage (FIRMWARE)== # Download one of the following files, depending on your iPod model. You can tell it from the USB ID in the previous step. ## For '''Classic 1G''' (USB ID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw]. ## For '''Classic 2G''' (USB ID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw]. ## For '''Classic 3G''' (USB ID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw]. # As before, rename it to zip and extract it. # Go inside the folder '''Firmware''' -> '''dfu''', and copy the file to your desktop. It should be named '''FIRMWARE.x****.RELEASE.dfu''' where **** is the USB ID of your iPod at the moment. # Type this command: python ipoddfu.py FIRMWARE.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to iPod Classic 2G WTF mode, USB version 1 Upload: ........................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ............... done After 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text '''Do not disconnect''' at the bottom. Windows might want to reformat it, say '''No''' if it does. Continue to the next step. ==Final step: Install Apple's firmware== # You're almost there. Go to http://www.felixbruns.de/iPod/firmware/ and download the latest firmware for your iPod model. # As you might have guessed, you need to rename the '''ipsw''' to '''zip''', and extract it. # In that folder, you'll find a file named '''Firmware-XX-X.X.X''' (X's depending on the model and version). Copy it to the desktop. # Download [http://files.freemyiPod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop. # Open '''Windows Explorer''', and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. '''F:'''). # Open the black window, and type: ipodscsi F: ipod6g writefirmware -p -r Firmware-* You should see: ipodscsi v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven) This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Repartitioning... done Initiating firmware transfer... done Writing firmware................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...... done Rebooting device... done Your iPod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware. It should be safe to format it at this point. Use '''FAT32''' as filesystem. Windows isn't going to allow you format large devices with '''FAT32''', so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice. Then use iTunes to manage your music/videos. Or [[EmCORE_Installation|install emCORE]]. Enjoy your unbricked iPod! =Related info= * [[Modes|USB Modes of iPods]] * [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]] * [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)] * [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple (warning - very large file)] 6067f98953b891e07cfadae4ca408ac4163d3586 4255 4254 2015-02-08T23:57:22Z User890104 124 wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =The standard disclaimer= '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Continue reading only if your agree. =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Files needed= * Zadig * Python + pyusb + libusb * ipoddfu.py * libipoddfu.py * ipodscsi =Overview of the procedure= # You put the iPod into DFU mode # You install a custom driver to that device, so ipoddfu can talk to it # You install Python and pyusb # You send the first stage of the restore firmware (called "WTF") to the iPod using ipoddfu # The iPod reconnects with a different USB IDs # You install a custom driver for the new USB device # You send the second stage of the restore firmware (called "FIRMWARE") to the iPod using ipoddfu # The iPod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the iPod - all these three at once using ipodscsi # Your iPod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= There's also a video of (almost) the whole procedure. The commands are longer, because I have the files in different directories. Also, it doesn't show USB driver installation, because I already have them installed. Link to the video: https://www.youtube.com/watch?v=6-nEXXv8_PY ==Putting the iPod into DFU mode== # Get an USB to iPod dock cable. # Connect it to your computer. # Get your iPod. # Lock the '''HOLD''' switch, then unlock it after a second. # Connect the USB cable to the iPod. # During the next two steps, disregard what happens on the iPod's screen, just do what we ask you to. # Hold down '''MENU''' + '''SELECT''' (the center button) for 12 seconds (count to 12, just to be sure that your timing is right). # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Installing a custom DFU driver== # Download [http://zadig.akeo.ie/ Zadig]. # Open '''Zadig'''. # Click menu '''Options''' -> '''List all devices'''. # Select USB DFU Device (the first box of USB ID should be '''05AC''', the second one depends on the iPod model - '''1223''' for iPod Classic) # Make sure that the selector to the right of the green arrow shows '''WinUSB''', and change it if it doesn't. # Click the large button named '''Install driver''' or '''Replace driver''' or '''Reinstall driver''' (depending on what driver you have installed at the moment). # Wait for Zadig to complete the installation. # You're ready for the next step. ==Uploading the first restore stage (WTF)== # "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. # Press the Start menu button. # Type '''cmd''' and press '''Enter'''. # In the black window that opens, type '''cd Desktop''' and press '''Enter'''. # Download this file to your Desktop: [http://svn.freemyiPod.org/tools/ipoddfu/ipoddfu.py ipoddfu.py] (Right-click, then choose Save link as...). # And this one, too: [http://svn.freemyiPod.org/tools/ipoddfu/libipoddfu.py libipoddfu.py], make sure you also put it there. # Another one, this time from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server). # Go to your desktop, and rename the '''ipsw''' file to '''zip'''. # Use your favourite tool to extract the zip, '''WinZip''', '''WinRAR''' and '''7-zip''' will do it well, even Windows' integrated ZIP extractor will do. # Open the extracted folder, and go to '''Firmware''' -> '''dfu'''. There should be a file named '''WTF.x1223.RELEASE.dfu''' there. Copy it to the desktop. # Back in the black window, type: (or copy/paste) python ipoddfu.py WTF.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to S5L8702 Bootrom DFU mode, USB version 1 Upload: ................... done If you see something different, stop here. Otherwise, go ahead. ==Installing a custom WTF driver== # It's the same as the previous driver install, this time the device is named iPod Recovery and the second ID is '''1241''' for Classic 1G, '''1245''' for Classic 2G or '''1247''' for Classic 3G. # Complete the installation, and move to the next step. ==Uploading the second restore stage (FIRMWARE)== # Download one of the following files, depending on your iPod model. You can tell it from the USB ID in the previous step. ## For '''Classic 1G''' (USB ID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw]. ## For '''Classic 2G''' (USB ID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw]. ## For '''Classic 3G''' (USB ID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw]. # As before, rename it to zip and extract it. # Go inside the folder '''Firmware''' -> '''dfu''', and copy the file to your desktop. It should be named '''FIRMWARE.x****.RELEASE.dfu''' where **** is the USB ID of your iPod at the moment. # Type this command: python ipoddfu.py FIRMWARE.x????.RELEASE.dfu and press Enter. You should see the following output: Connected to iPod Classic 2G WTF mode, USB version 1 Upload: ........................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ............... done After 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text '''Do not disconnect''' at the bottom. Windows might want to reformat it, say '''No''' if it does. Continue to the next step. ==Final step: Install Apple's firmware== # You're almost there. Go to http://www.felixbruns.de/iPod/firmware/ and download the latest firmware for your iPod model. # As you might have guessed, you need to rename the '''ipsw''' to '''zip''', and extract it. # In that folder, you'll find a file named '''Firmware-XX-X.X.X''' (X's depending on the model and version). Copy it to the desktop. # Download [http://files.freemyiPod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop. # Open '''Windows Explorer''', and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. '''F:'''). # Open the black window, and type: ipodscsi F: ipod6g writefirmware -p -r Firmware-* You should see: ipodscsi v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven) This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Repartitioning... done Initiating firmware transfer... done Writing firmware................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...... done Rebooting device... done Your iPod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware. It should be safe to format it at this point. Use '''FAT32''' as filesystem. Windows isn't going to allow you format large devices with '''FAT32''', so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice. Then use iTunes to manage your music/videos. Or [[EmCORE_Installation|install emCORE]]. Enjoy your unbricked iPod! =Related info= * [[Modes|USB Modes of iPods]] * [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]] * [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)] * [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple (warning - very large file)] 558d57cd995429d7a57252d20f7b6959f64c15fb 0 186 4251 4121 2015-02-08T21:57:37Z User890104 124 wikitext text/x-wiki ==Protocol description== the whole firmware update is done through a custom 0xc6 scsi command first, the update is initiated by a c6 96 00 00 00 00 00 00 00 00 packet, that will get a 4-byte response (meaning unknown) maybe the count of update log entries? then the last update log page (4KB) is read using a c6 97 00 01 00 00 00 00 00 00 packet then a new log page (4KB) is written using a c6 98 00 01 00 00 00 00 00 00 packet then there is a c6 94 00 02 80 00 00 00 00 00 00 00 00 00 00 00 packet, no idea what it's good for, no data stage the next stage is uploading the "N58s.bootloader.release.rb3" file, using a c6 90 <type> <size> 00 00 00 00 00 00 00 00 00 packet <type> is 00 for the MSE, and 01 for the RB3 file, size is the big endian 32bit file size the transfer itself is done using c6 91 00 10 00 00 00 00 00 00 packets, each (besides the last one, which is trimmed to the number of bytes left to be transferred) followed by 5 data stages, being 16384, 3584, 16384, 16384 and 12800 bytes in size I can't think of any reason for this weirds splitting, maybe it isn't even neccessary and just an itunes weirdness then the transfer is closed using a c6 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 packet the next step is uploadinf "Firmware.MSE" the same way finally a c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 is sent (no data stage), and another log entry is written that's the whole deal. -- [[User:TheSeven|TheSeven]] 22:21, 30 November 2009 (UTC) ==Sending commands== To send these commands on linux you need the scsirastools (http://scsirastools.sourceforge.net/). On Debian you have to build it youself using configure, make, make install. Once you built it run as root: sgdiag -I You will get a prompt. First type c to send a custom command, then the number of the device (the list is just above). The CDB length is 10, then the bytes are c6 ... (eg c6 97 00 01 00 00 00 00 00 00 for the first one). Response data length is 4 byte for the first command, 0 for the ones with no data stage or for uploading firmware or log sending, 4096 for log reading). The Output data length is the size of data sent to the ipod (excluding the command). That's it. If the device is an ipod you should get a response, if it isn't you will get an error message. ==Commands summary== 0xc6 is the first byte, then: * 0x90 <type> <4-byte size> [0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00] -> init update process (type 0 = firmware, 1 = bootloader) * 0x91 0x00 0x10 [0x00 0x00 0x00 0x00 0x00 0x00] + data -> upload data * 0x92 [0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00] -> end update process * 0x94 <be32:fwpartsize_in_kb> [0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00] -> repatition hdd/flash - only useful when restoring or if the firmware partition was altered. is not used an update (preserving user data/settings) is performed The bytes in brackets are optional. TheSeven: from what it looks like the 96 and 31 commands don't even have a handler on the ipod side ==Automated image uploading== There's an app that implements this protocol. Its source code is available at [http://svn.freemyipod.org/tools/ipodscsi/ our SVN]. Use MinGW to compile it (or get the binary [http://files.freemyipod.org/misc/ipodscsi.exe here]), only Windows version available at the moment. It's written with [[Classic 1G]], [[Classic 2G]], and [[Classic 3G]] in mind, but also works with [[Nano 3G]] and [[Nano 4G]]. More details to come soon on a separate page. We'll be happy if someone could test if it works on [[Nano 5G]] and [[Nano 6G]] and post the results on the [[Talk:Nano4G_firmware_upgrade_process|Discussion page]]. 6dcdc5e93a2e3ce7deb3abd0cd6e7bd7b24d03cf 0 344 4259 3819 2016-06-09T01:20:48Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} Does that third party firmware offer you a way to run "UMSboot"? * [[EmCORE Installation/iPodClassic/ThirdPartyUMSboot|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]] 77818b091d00ac52f39cfbfe2992f481eb0d9541 0 345 4260 3820 2016-06-09T01:21:04Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} Please plug your iPod into your computer and boot "UMSboot" now. Do you see a 64MB-sized USB drive called "UMSboot" connect to your computer, and can you access it? * [[EmCORE Installation/iPodClassic/UMSboot|Yes]] * [[EmCORE Installation/iPodClassic/PrepareDFU|No]] 95f770c0087bd1a76021c95ef954d0381c389a35 0 349 4263 3827 2016-06-09T01:22:43Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} Sorry, your PC operating system is not supported. Please get access to either a Windows (XP or newer) or Linux computer to install [[emCORE]]. d905c12291b7bb7e2cd5f58825b791afb5f0d3e2 0 351 4265 3842 2016-06-09T01:23:10Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} Do you have iTunes installed on your computer? * [[EmCORE Installation/iPodClassic/DFUiTunes|Yes]] * [[EmCORE Installation/iPodClassic/ChooseMethod|No]] 254472b905071fa27fdf70599a28e65c358777b0 0 346 4266 4162 2016-06-09T01:23:31Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} Here is a list of all builds of [[emCORE]] that have been released into public so far. '''Please do not use any other builds unless you really know what you're doing!''' The most recent version is the topmost one in the following list. It is recommended to use that one, unless you have a specific reason to use another. * [[EmCORE_Releases/r859|'''emCORE r859 (2012-01-02)''']] * <s>[[EmCORE_Releases/r855|emCORE r855 (2012-01-01)]]</s> * [[EmCORE_Releases/r708|emCORE r708 (2011-04-24)]] * [[EmCORE_Releases/r692|emCORE r692 (2011-04-06)]] * [[EmCORE_Releases/r674|emCORE r674 (2011-03-25)]] cbfa41c1a30dfe9d4e1525fa92c3c39b1f5d0125 0 355 4269 3850 2016-06-09T01:24:18Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} * Please install iTunes now. You can get it from http://www.apple.com/itunes/download/. * [[EmCORE Installation/iPodClassic/DFUiTunes|Next step]] e45569f4d9665a5e3a9f579de84d1a2a621100aa 0 342 4272 4107 2016-06-14T21:02:41Z User890104 124 wikitext text/x-wiki Your device is fully supported by [[emCORE]], but there are some bugs left, so it's not yet recommended for end users. If you would like to dualboot [http://www.rockbox.org/ Rockbox] and Apple's firmware, it would be safer to use Rockbox's bootloader or [https://theseven.freemyipod.org/iloader/ iLoader]. If you would like to install [[emCORE]] on your iPod Nano 2G, you can follow the [https://theseven.freemyipod.org/iloader/installation.php iLoader install instructions], but substituting iLoader's .ipodx file with '''installer-ipodnano2g.ipodx''' from [[EmCORE_Releases|the Releases page]]. If you don't want to see the bootmenu every time you power on your iPod, you can use Tools->Settings to set a default boot option (Rockbox, OF, UMSboot, Disk mode, etc.) 74f13f714d893deb49155445e98e816779b078ca 0 121 4274 4008 2017-04-06T16:10:19Z User890104 124 wikitext text/x-wiki {{outdated|reason=This page is not updated anymore, please refer to Rockbox's website for a list of supported iPod models.}} This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | style="background-color: #ddd" | [[EmCORE_Installation|emCORE Installer]] | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> b6c50f00244f1876ded9dffc7d20fa7b4fe5b340 0 121 4275 4274 2017-04-06T16:11:11Z User890104 124 wikitext text/x-wiki {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | style="background-color: #ddd" | [[EmCORE_Installation|emCORE Installer]] | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g">The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> c66cd185b32141f1deec49ae707c25a4d09f4fbe 21910 4275 2022-01-05T00:25:22Z User890104 124 Disable outdated warning, add Nano 7G wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g7g"/> !! [[Nano 7G|"Nano" 7G]]<ref name="nano6g7g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | style="background-color: #ddd" | [[EmCORE_Installation|emCORE Installer]] | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">The "Nano" 6G and 7G are something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how these devices works and if we want to do something with them at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> 7e79efa03e050c0b8c5cd84118a1e052f8dabda7 21914 21910 2022-01-05T00:53:23Z User890104 124 Update Nano 5G status wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g7g"/> !! [[Nano 7G|"Nano" 7G]]<ref name="nano6g7g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | style="background-color: #ddd" | [[EmCORE_Installation|emCORE Installer]] | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">The "Nano" 6G and 7G are something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how these devices works and if we want to do something with them at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> 0e766d0139d5a31896a8d17d0fbdca83118c6507 21915 21914 2022-01-05T00:54:27Z User890104 124 Update Boot OF wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g7g"/> !! [[Nano 7G|"Nano" 7G]]<ref name="nano6g7g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | style="background-color: #ddd" | [[EmCORE_Installation|emCORE Installer]] | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Untested'''<ref name="similar8702"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">The "Nano" 6G and 7G are something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how these devices works and if we want to do something with them at all.</ref> <ref name="similar8702">Should be similar to the iPod Classic 1G, but wasn't tested on this platform yet.</ref> </references> fc8db0b689dbca2e49dcd3d6bb37d24431c6119e 21916 21915 2022-01-05T00:55:39Z User890104 124 Update Nano 3G status wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g7g"/> !! [[Nano 7G|"Nano" 7G]]<ref name="nano6g7g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware encryption | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | style="background-color: #ddd" | [[EmCORE_Installation|emCORE Installer]] | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:red">'''No'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> | style="background-color: #ddd" | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">The "Nano" 6G and 7G are something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how these devices works and if we want to do something with them at all.</ref> </references> bcf7b9661e10f038520c154ee91a8c0d1fba676e 0 416 4277 4255 2017-04-16T17:18:52Z User890104 124 wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =The standard disclaimer= '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Continue reading only if your agree. =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Overview of the procedure= # You put the iPod into DFU mode # You send the first stage of the restore firmware (called "WTF") to the iPod using mks5lboot # The iPod reconnects with a different USB IDs # You send the second stage of the restore firmware (called "FIRMWARE") to the iPod using mks5lboot # The iPod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the iPod - all these three at once using ipodscsi # Your iPod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= <s>There's also a video of (almost) the whole procedure. The commands are longer, because I have the files in different directories. Also, it doesn't show USB driver installation, because I already have them installed. Link to the video: https://www.youtube.com/watch?v=6-nEXXv8_PY</s> The video is outdated, showing the old procedure (using Python/pyusb and ipoddfu.py). ==Putting the iPod into DFU mode== # Get an USB to iPod dock cable. # Connect it to your computer. # Get your iPod. # Lock the '''HOLD''' switch, then unlock it after a second. # Connect the USB cable to the iPod. # During the next two steps, disregard what happens on the iPod's screen, just do what we ask you to. # Hold down '''MENU''' + '''SELECT''' (the center button) for 12 seconds (count to 12, just to be sure that your timing is right). # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Uploading the first restore stage (WTF)== "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. 1. Press the Start menu button. 2. Type '''cmd''' and press '''Enter'''. 3. In the black window that opens, type '''cd Desktop''' and press '''Enter'''. 4. Download one of these files to your Desktop, depending on the Windows version you have (x86 = 32 bit, x64 = 64-bit): [https://files.freemyipod.org/~user890104/bootloader-ipodclassic-v1_0/Windows/mks5lboot32.exe mks5lboot32.exe] OR [https://files.freemyipod.org/~user890104/bootloader-ipodclassic-v1_0/Windows/mks5lboot64.exe mks5lboot64.exe] (Right-click, then choose Save link as...). 5. And this one too, from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server). 6. Go to your desktop, and rename the '''ipsw''' file to '''zip'''. 7. Use your favourite tool to extract the zip, '''WinZip''', '''WinRAR''' and '''7-zip''' will do it well, even Windows' integrated ZIP extractor will do. 8. Open the extracted folder, and go to '''Firmware''' -> '''dfu'''. There should be a file named '''WTF.x1223.RELEASE.dfu''' there. Copy it to the desktop. '''Please note that the commands here are for the 32-bit version, which should work on all Windows versions - if you choose to use the 64-bit version, please enter mks5lboot64.exe instead of mks5lboot32.exe in the following commands!''' 9. Back in the black window, type: (or copy/paste) mks5lboot32.exe --dfuscan You should see a message similar to the following, showing that your iPod is detected. If not, please ask for support and do not continue. mks5lboot Version -170303 This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br> [INFO] DFU scan: [INFO] winapi: found \\?\USB#VID_05AC&PID_1223#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0001 [INFO] DFU device state: 2 10. Enter the following command: mks5lboot32.exe --dfusend WTF.x????.RELEASE.dfu and press Enter. You should see the following output: mks5lboot Version -170303 This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br> [INFO] winapi: found \\?\USB#VID_05AC&PID_1223#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0001 [INFO] DFU image sent successfully (35955 bytes) If you see something different, stop here. Otherwise, go ahead. ==Uploading the second restore stage (FIRMWARE)== 1. Enter the following command: mks5lboot32.exe --dfuscan You should see the following output: mks5lboot Version -170303 This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br> [INFO] DFU scan: [INFO] winapi: found \\?\USB#VID_05AC&PID_1245#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0001 [INFO] DFU device state: 2 2. On the line that has a "found" text, look for the USB Product ID. It is the four symbols after the text '''PID_'''. In this example, it's 1245 which means a Classic 2G (120GB) 3. Download one of the following files, depending on your iPod's model/product ID. * For '''Classic 1G''' (USB PID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw]. * For '''Classic 2G''' (USB PID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw]. * For '''Classic 3G''' (USB PID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw]. 4. As before, rename it to zip and extract it. 5. Go inside the folder '''Firmware''' -> '''dfu''', and copy the file to your desktop. It should be named '''FIRMWARE.x****.RELEASE.dfu''' where **** is the USB ID of your iPod at the moment. 6 Enter the following command: mks5lboot32.exe --dfusend FIRMWARE.x????.RELEASE.dfu and press Enter. You should see the following output: mks5lboot Version -170303 This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br> [INFO] winapi: found \\?\USB#VID_05AC&PID_1245#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0001 [INFO] DFU image sent successfully (1157699 bytes) After 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text '''Do not disconnect''' at the bottom. Windows might want to reformat it, say '''No''' if it does. Continue to the next step. ==Final step: Install Apple's firmware== # You're almost there. Go to http://www.felixbruns.de/iPod/firmware/ and download the latest firmware for your iPod model. # As you might have guessed, you need to rename the '''ipsw''' to '''zip''', and extract it. # In that folder, you'll find a file named '''Firmware-XX-X.X.X''' (X's depending on the model and version). Copy it to the desktop. # Download [http://files.freemyiPod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop. # Open '''Windows Explorer''', and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. '''F:'''). # Open the black window, and type: ipodscsi.exe F: ipod6g writefirmware -p -r Firmware-* You should see: ipodscsi v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven) This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Repartitioning... done Initiating firmware transfer... done Writing firmware................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...... done Rebooting device... done Your iPod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware. It should be safe to format it at this point. Use '''FAT32''' as filesystem. Windows isn't going to allow you format large devices with '''FAT32''', so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice. Then use iTunes to manage your music/videos. Or [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html install Rockbox]. Enjoy your unbricked iPod! =Related info= * [[Modes|USB Modes of iPods]] * [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]] * [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)] * [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple (warning - very large file)] 372d8eea16552a754f0494d7765c527a35acf197 4278 4277 2017-04-16T17:22:10Z User890104 124 wikitext text/x-wiki Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for! First, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this: https://www.youtube.com/watch?v=Y_bIDtBohnE Then use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two. ''But, .... it doesn't work! What should I do? It's BROKEN!'' Calm down, and keep reading... =The standard disclaimer= '''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.''' Continue reading only if your agree. =Prerequisites= * An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!) * Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source) * Patience =Overview of the procedure= # You put the iPod into DFU mode # You send the first stage of the restore firmware (called "WTF") to the iPod using mks5lboot # The iPod reconnects with a different USB IDs # You send the second stage of the restore firmware (called "FIRMWARE") to the iPod using mks5lboot # The iPod shows a monochrome disk mode screen # You repartition the hard disk, upload the new firmware and reboot the iPod - all these three at once using ipodscsi # Your iPod is working again. Yay! You're ready? Ok, let's do it! =Steps to restore= <s>There's also a video of (almost) the whole procedure. The commands are longer, because I have the files in different directories. Also, it doesn't show USB driver installation, because I already have them installed. Link to the video: https://www.youtube.com/watch?v=6-nEXXv8_PY</s> The video is outdated, showing the old procedure (using Python/pyusb and ipoddfu.py). ==Putting the iPod into DFU mode== # Get an USB to iPod dock cable. # Connect it to your computer. # Get your iPod. # Lock the '''HOLD''' switch, then unlock it after a second. # Connect the USB cable to the iPod. # During the next two steps, disregard what happens on the iPod's screen, just do what we ask you to. # Hold down '''MENU''' + '''SELECT''' (the center button) for 12 seconds (count to 12, just to be sure that your timing is right). # Release the buttons. # You're in DFU mode. Here's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE ==Uploading the first restore stage (WTF)== "What the f*ck"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway. 1. Press the Start menu button. 2. Type '''cmd''' and press '''Enter'''. 3. In the black window that opens, type '''cd Desktop''' and press '''Enter'''. 4. Download one of these files to your Desktop, depending on the Windows version you have (x86 = 32 bit, x64 = 64-bit): [https://files.freemyipod.org/~user890104/bootloader-ipodclassic-v1_0/Windows/mks5lboot32.exe mks5lboot32.exe] OR [https://files.freemyipod.org/~user890104/bootloader-ipodclassic-v1_0/Windows/mks5lboot64.exe mks5lboot64.exe] (Right-click, then choose Save link as...). 5. And this one too, from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server). 6. Go to your desktop, and rename the '''ipsw''' file to '''zip'''. 7. Use your favourite tool to extract the zip, '''WinZip''', '''WinRAR''' and '''7-zip''' will do it well, even Windows' integrated ZIP extractor will do. 8. Open the extracted folder, and go to '''Firmware''' -> '''dfu'''. There should be a file named '''WTF.x1223.RELEASE.dfu''' there. Copy it to the desktop. '''Please note that the commands here are for the 32-bit version, which should work on all Windows versions - if you choose to use the 64-bit version, please enter mks5lboot64.exe instead of mks5lboot32.exe in the following commands!''' 9. Back in the black window, type: (or copy/paste) mks5lboot32.exe --dfuscan and press Enter. You should see a message similar to the following, showing that your iPod is detected. If not, please ask for support and do not continue. mks5lboot Version -170303 This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br> [INFO] DFU scan: [INFO] winapi: found \\?\USB#VID_05AC&PID_1223#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0001 [INFO] DFU device state: 2 10. Enter the following command: mks5lboot32.exe --dfusend WTF.x????.RELEASE.dfu You should see the following output: mks5lboot Version -170303 This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br> [INFO] winapi: found \\?\USB#VID_05AC&PID_1223#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0001 [INFO] DFU image sent successfully (35955 bytes) If you see something different, stop here. Otherwise, go ahead. ==Uploading the second restore stage (FIRMWARE)== 1. Enter the following command: mks5lboot32.exe --dfuscan You should see the following output: mks5lboot Version -170303 This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br> [INFO] DFU scan: [INFO] winapi: found \\?\USB#VID_05AC&PID_1245#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0001 [INFO] DFU device state: 2 2. On the line that has a "found" text, look for the USB Product ID. It is the four symbols after the text '''PID_'''. In this example, it's 1245 which means a Classic 2G (120GB) 3. Download one of the following files, depending on your iPod's model/product ID. * For '''Classic 1G''' (USB PID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw]. * For '''Classic 2G''' (USB PID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw]. * For '''Classic 3G''' (USB PID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw]. 4. As before, rename it to zip and extract it. 5. Go inside the folder '''Firmware''' -> '''dfu''', and copy the file to your desktop. It should be named '''FIRMWARE.x****.RELEASE.dfu''' where **** is the USB ID of your iPod at the moment. 6 Enter the following command: mks5lboot32.exe --dfusend FIRMWARE.x????.RELEASE.dfu and press Enter. You should see the following output: mks5lboot Version -170303 This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br> [INFO] winapi: found \\?\USB#VID_05AC&PID_1245#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0001 [INFO] DFU image sent successfully (1157699 bytes) After 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text '''Do not disconnect''' at the bottom. Windows might want to reformat it, say '''No''' if it does. Continue to the next step. ==Final step: Install Apple's firmware== # You're almost there. Go to http://www.felixbruns.de/iPod/firmware/ and download the latest firmware for your iPod model. # As you might have guessed, you need to rename the '''ipsw''' to '''zip''', and extract it. # In that folder, you'll find a file named '''Firmware-XX-X.X.X''' (X's depending on the model and version). Copy it to the desktop. # Download [http://files.freemyiPod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop. # Open '''Windows Explorer''', and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. '''F:'''). # Open the black window, and type: ipodscsi.exe F: ipod6g writefirmware -p -r Firmware-* You should see: ipodscsi v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven) This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Repartitioning... done Initiating firmware transfer... done Writing firmware................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...... done Rebooting device... done Your iPod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware. It should be safe to format it at this point. Use '''FAT32''' as filesystem. Windows isn't going to allow you format large devices with '''FAT32''', so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice. Then use iTunes to manage your music/videos. Or [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html install Rockbox]. Enjoy your unbricked iPod! =Related info= * [[Modes|USB Modes of iPods]] * [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]] * [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)] * [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple (warning - very large file)] b6b8c64f3d88fa2d53bfbbb0fd5b1a28981b665c 0 259 4279 4199 2017-04-29T16:34:33Z User890104 124 fix mailing list urls, change https to https wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [https://freenode.net/ freenode]. Some channels are logged, please check https://logs.freemyipod.org for the logfiles. === #freemyipod-support === This is our support channel. <span style="color: #f00;">'''If you have questions or problems concerning our software, this is the place to ask.'''</span> If you have questions about rockbox that are not iPod related, please look for support at [https://www.rockbox.org/ rockbox.org] and if you happen to have any question related to the original iPod firmware please ask elsewhere. * You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support]. (Web client [https://webchat.freenode.net/?channels=freemyipod-support here]) === #freemyipod === This channel is for anything else related to the project, mainly focused on development. If you want to get a better knowledge about the technical details of something or want to [[Contributing|contribute]] to the project we will be glad to help you. * You can join it on [irc://irc.freenode.net/freemyipod #freemyipod]. (Web client [https://webchat.freenode.net/?channels=freemyipod here]) === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. * You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter]. (Web client [https://webchat.freenode.net/?channels=freemyipod-chatter here]) == Mailing lists == We have several mailing lists. You can find them on https://lists.freemyipod.org. === freemyipod === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. * You can register on [https://lists.freemyipod.org/cgi-bin/mailman/listinfo/freemyipod this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. * You can subscribe to it [https://lists.freemyipod.org/cgi-bin/mailman/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. 9c8dc42149ebf7b09ee39112636fb468bc98f7af 4280 4279 2017-04-29T16:43:02Z User890104 124 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have some fairly active IRC channels on [https://freenode.net/ freenode]. Some channels are logged, please check https://logs.freemyipod.org for the logfiles. === #freemyipod-support === This is our support channel. <span style="color: #f00;">'''If you have questions or problems concerning our software, this is the place to ask.'''</span> If you have questions about rockbox that are not iPod related, please look for support at [https://www.rockbox.org/ rockbox.org] and if you happen to have any question related to the original iPod firmware please ask elsewhere. * You can join it on [irc://irc.freenode.net/freemyipod-support #freemyipod-support]. (Web client [https://webchat.freenode.net/?channels=freemyipod-support here]) === #freemyipod === This channel is for anything else related to the project, mainly focused on development. If you want to get a better knowledge about the technical details of something or want to [[Contributing|contribute]] to the project we will be glad to help you. * You can join it on [irc://irc.freenode.net/freemyipod #freemyipod]. (Web client [https://webchat.freenode.net/?channels=freemyipod here]) === #freemyipod-chatter === This is our offtopic channel. Any stuff that is not related to the project should be discussed there. * You can join it on [irc://irc.freenode.net/freemyipod-chatter #freemyipod-chatter]. (Web client [https://webchat.freenode.net/?channels=freemyipod-chatter here]) == Mailing lists == We have several mailing lists. You can find them on https://lists.freemyipod.org. === freemyipod-general === This list is for questions on the project, development related stuff and everything else related to the project. Feel free to post here if you want to help out (also see [[Contributing]]) or just have a question on something. * You can register on [https://lists.freemyipod.org/cgi-bin/mailman/listinfo/freemyipod-general this page] === freemyipod-commits === This is a information-only list that posts a mail whenever a developer commits something into the [[SVN|Subversion repositiory]]. You can not post to this list. * You can subscribe to it [https://lists.freemyipod.org/cgi-bin/mailman/listinfo/freemyipod-commits here] == Mail == If you want to contact one of the core members directly you can send a mail to <member name>@freemyipod.org. Please only use this if you really want to contact this specific member, if you have a general question, suggestion or request please send it to the mailing list. c3f5d7bf1aa032f274bf04597ecbcd87e18cedfa 20548 4280 2021-05-29T10:36:42Z User890104 124 Move IRC from freenode to libera, remove mailing list and individual mailboxes info wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have an IRC channel on [https://libera.chat/ Libera]. * You can join it on [ircs://irc.libera.chat/freemyipod #freemyipod]. (Web client [https://web.libera.chat/?channels=#freemyipod here]) IRC logs are available, please check https://logs.freemyipod.org for the logfiles. They might not be up-to-date, and automatic sync is planned. If you have questions about rockbox that are not iPod related, please look for support at [https://www.rockbox.org/ rockbox.org] and if you happen to have any question related to the original iPod firmware please ask elsewhere. == Mailing lists == We used to have mailing lists, but they are not operational anymore. == Mail == We used to have individual mailboxes for project members, but they are not operational anymore. e1e14de5a7f2cb5ddb6fb1865d83020d74504b16 21890 20548 2021-06-09T16:04:06Z User890104 124 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have an IRC channel on [https://libera.chat/ Libera]. * You can join it on [ircs://irc.libera.chat/freemyipod #freemyipod]. (Web client [https://web.libera.chat/?channels=#freemyipod here]) IRC logs are available, please check https://logs.freemyipod.org for the logfiles. They might not be up-to-date, and automatic sync is planned. If you have questions about rockbox that are not iPod related, please look for support at [https://www.rockbox.org/ rockbox.org] and if you happen to have any question related to the original iPod firmware please ask elsewhere. == Discord == While not an official channel for support, you can find others interested in iPod Nano/Classic development in the [https://discord.gg/7PnGEXjW3X iPod Nano Hacking discord server]. == Mailing lists == We used to have mailing lists, but they are not operational anymore. == Mail == We used to have individual mailboxes for project members, but they are not operational anymore. 4145fe4276338ebe6fac00889c6f6497f071bf3b 0 415 4281 4270 2017-06-18T21:39:11Z User890104 124 wikitext text/x-wiki {{outdated|reason=emCORE on iPod Classic is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] instead.}} * Go to http://www.apple.com/itunes/download/ and download the installer (for example, to your Desktop), but do not run it * Get the 7-Zip archiver, and install it: http://7-zip.org/download.html * Open 7-Zip, then browse to the Desktop * Right-click the installer, and select '''Open Inside (Ctrl+PgDn)''' * Click on '''AppleMobileDeviceSupport6464.msi''', and select '''Copy''' from 7-Zip's toolbar * Select the Desktop as destination * Run the AppleMobileDeviceSupport6464 installer from the Desktop, and let it install If you see a prompt about an Apple service that failed to start, that's OK. Just hit '''Ignore''' * [[EmCORE Installation/iPodClassic/DFUiTunes|Next step]] ''Note: After you complete the emCORE installation, you can go to '''Programs and features''', and remove Apple's drivers (order the apps by '''Date installed''' so you can find it easily)'' a997ecdc95c7a9c7fa14a0e6f9411d30d277ca2d 0 50 4282 4273 2018-08-25T18:44:55Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Installing Rockbox on iPod Classic== emCORE is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] in order to install and run Rockbox on iPod Classic. ==Getting started with [[emCORE]] (DEPRECATED)== # Check if your device is supported by the installer. Only [[Nano_2G|iPod Nano 2G]] and iPod Classic [[Classic_1G|1G]]/[[Classic_2G|2G]]/[[Classic_3G|3G]] are supported at the moment. # Follow the [[emCORE_Installation|installation instructions]] if your device is supported. # In case you encounter any bugs, please [[Contact|contact]] us in order to report them. ==Updates== * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] ** [[emCORE Uninstallation]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 0e414f6202d3b367cbc03ae1f08f08fd61bbe877 21909 4282 2022-01-05T00:19:44Z User890104 124 Bring back the updates archive, post the most recent news wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]] ==Installing Rockbox on iPod Classic== emCORE is DEPRECATED, please use the [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html Rockbox bootloader] in order to install and run Rockbox on iPod Classic. ==Getting started with [[emCORE]] (DEPRECATED)== # Check if your device is supported by the installer. Only [[Nano_2G|iPod Nano 2G]] and iPod Classic [[Classic_1G|1G]]/[[Classic_2G|2G]]/[[Classic_3G|3G]] are supported at the moment. # Follow the [[emCORE_Installation|installation instructions]] if your device is supported. # In case you encounter any bugs, please [[Contact|contact]] us in order to report them. ==Updates== * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ** [[ Toolchain ]] * [[ SVN ]] * [[ Todo list ]] * [[ Special:Code/freemyipod|SVN Activity ]] * [[ Project summary ]] ===Released Software=== * [[iBugger]] * [[iLoader]] * [[emCORE]] ** [[emCORE Installation]] ** [[emCORE Releases]] ** [[emCORE Monitor Protocol]] ** [[emCOREFS]] ** [[emCORE Uninstallation]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] * [[Firmware decryption]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] * Nano 4G ** [[Nano4G firmware upgrade process]] ===Other guides=== * [[MPEG movies]] * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] *** [[Nano2G HW analysis]] *** [[S5L8701 analysis]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 20f20a2b9db437e974362c132cbf139f6a1b7a50 0 255 21891 3296 2021-11-05T14:44:21Z User890104 124 Add datasheet URL wikitext text/x-wiki The datasheet for the S5L8700X was found [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here]. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version. ==Helpful pages== https://files.freemyipod.org/misc/S5L8700X-DS.pdf http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html 765bd1906b905f669d0b65cba827bca033ce1320 0 6417 21892 2021-12-09T20:38:46Z Q3k 6232 Stub. wikitext text/x-wiki The iPod Nano 4G bootrom is different from the iBoot/SecureROM bootrom present on iOS-based S5L8720 devices, like the iPod Touch 2G. 8c9f3ccff15692a8d1122ebe4263baa502c9ab7e 21893 21892 2021-12-09T20:47:53Z Q3k 6232 wikitext text/x-wiki == Introduction == The iPod Nano 4G bootrom is different from the iBoot/SecureROM bootrom present on iOS-based S5L8720 devices, like the iPod Touch 2G. The reverse engineering efforts below have been based on a ROM extract from a Nano 4g with the following SHA256 sum: 9cc05fb83024c9d51fd31c97a137447ce5ea87fe7cefba7b9aa6d54609bfbafb . == BootROM functionality == The BootROM can perform the following actions: # Boot from NAND flash (via built-in flash translation layer implementation) # Boot from some other unknown storage (NOR? Although NOR is not present on the N4G...) # Boot from USB DFU mode. The mode is selected based on straps, pressed buttons and mode priorities (first NAND or 'NOR' is performed, then DFU). All three boot paths end up performing the same image verification steps: # Verify image header (IMG1/DFU v2.0, '87202.0' header): perform SHA1 then AES of first 0x40 bytes, compare against stored sum, decrypt rest of image with AES. # Parse footer certificates and verify footer signature against body. == Certificate parsing == The certificate parsing code is subject to [[Pwnage 2.0]]. This is one of the few codebases shared with iBoot/SecureROM, and is why the bug was portable to the Nano bootroms. == DFU mode == The DFU mode codebase seems to be different from the iBoot/SecureROM codebase, with very little code shared (perhaps apart from low-level DWC2 OTG register access code). There are no iBoot-like tasks present, the heap is very minimalistic (bitmap based), and the entire data transfer is effectively performed in poll/synchronous mode. The difference between the Nano and SecureROM bootrom codebases seem to be the main cause of none of the SecureROM USB exploits working (steaks4uce, usb_control_msg(0xa1, 1), checkm8, etc. However, a full pass over the USB codepaths is still yet to be performed. 269d8be93a1621f862a845280728445514f7a866 21896 21893 2021-12-09T21:35:41Z Q3k 6232 wikitext text/x-wiki == Introduction == The iPod Nano 4G bootrom is different from the iBoot/SecureROM bootrom present on iOS-based S5L8720 devices, like the iPod Touch 2G. The reverse engineering efforts below have been based on a ROM extract from a Nano 4g with the following SHA256 sum: 9cc05fb83024c9d51fd31c97a137447ce5ea87fe7cefba7b9aa6d54609bfbafb . == BootROM functionality == The BootROM can perform the following actions: # Boot from NAND flash (via built-in flash translation layer implementation) # Boot from some other unknown storage (NOR? Although NOR is not present on the N4G...) # Boot from USB DFU mode. The mode is selected based on straps, pressed buttons and mode priorities (first NAND or 'NOR' is performed, then DFU). All three boot paths end up performing the same image verification steps: # Verify image header (IMG1/DFU v2.0, '87202.0' header): perform SHA1 then AES of first 0x40 bytes, compare against stored sum. # Parse footer certificates and verify footer signature against body (undocumented). # Decrypt and jump into body. == Certificate parsing == The certificate parsing code is subject to [[Pwnage 2.0]]. This is one of the few codebases shared with iBoot/SecureROM, and is why the bug was portable to the Nano bootroms. == DFU mode == The DFU mode codebase seems to be different from the iBoot/SecureROM codebase, with very little code shared (perhaps apart from low-level DWC2 OTG register access code). There are no iBoot-like tasks present, the heap is very minimalistic (bitmap based), and the entire data transfer is effectively performed in poll/synchronous mode. The difference between the Nano and SecureROM bootrom codebases seem to be the main cause of none of the SecureROM USB exploits working (steaks4uce, usb_control_msg(0xa1, 1), checkm8, etc. However, a full pass over the USB codepaths is still yet to be performed. 79d7cc1540f02f6167ff080266fdfad95bc086d8 21897 21896 2021-12-09T21:36:07Z Q3k 6232 wikitext text/x-wiki == Introduction == The iPod Nano 4G bootrom is different from the iBoot/SecureROM bootrom present on iOS-based S5L8720 devices, like the iPod Touch 2G. The reverse engineering efforts below have been based on a ROM extract from a Nano 4g with the following SHA256 sum: 9cc05fb83024c9d51fd31c97a137447ce5ea87fe7cefba7b9aa6d54609bfbafb . == BootROM functionality == The BootROM can perform the following actions: # Boot from NAND flash (via built-in flash translation layer implementation) # Boot from some other unknown storage (NOR? Although NOR is not present on the N4G...) # Boot from USB DFU mode. The mode is selected based on straps, pressed buttons and mode priorities (first NAND or 'NOR' is performed, then DFU). All three boot paths end up performing the same image verification steps: # Load image into memory at beginning of SRAM. # Verify image header (IMG1/DFU v2.0, '87202.0' header): perform SHA1 then AES of first 0x40 bytes, compare against stored sum. # Parse footer certificates and verify footer signature against body (undocumented). # Decrypt and jump into body. == Certificate parsing == The certificate parsing code is subject to [[Pwnage 2.0]]. This is one of the few codebases shared with iBoot/SecureROM, and is why the bug was portable to the Nano bootroms. == DFU mode == The DFU mode codebase seems to be different from the iBoot/SecureROM codebase, with very little code shared (perhaps apart from low-level DWC2 OTG register access code). There are no iBoot-like tasks present, the heap is very minimalistic (bitmap based), and the entire data transfer is effectively performed in poll/synchronous mode. The difference between the Nano and SecureROM bootrom codebases seem to be the main cause of none of the SecureROM USB exploits working (steaks4uce, usb_control_msg(0xa1, 1), checkm8, etc. However, a full pass over the USB codepaths is still yet to be performed. 045a544832f1b31161cbc3ec33073191602b4533 21904 21897 2021-12-09T22:24:10Z Q3k 6232 wikitext text/x-wiki == Introduction == The iPod Nano 4G bootrom is different from the iBoot/SecureROM bootrom present on iOS-based S5L8720 devices, like the iPod Touch 2G. The reverse engineering efforts below have been based on a ROM extract from a Nano 4g with the following SHA256 sum: 9cc05fb83024c9d51fd31c97a137447ce5ea87fe7cefba7b9aa6d54609bfbafb . == BootROM functionality == The BootROM can perform the following actions: # Boot from NAND flash (via built-in flash translation layer implementation) # Boot from some other unknown storage (NOR? Although NOR is not present on the N4G...) # Boot from USB DFU mode. The mode is selected based on straps, pressed buttons and mode priorities (first NAND or 'NOR' is performed, then DFU). All three boot paths end up performing the same [[IMG1 image]] verification steps: # Load image into memory at beginning of SRAM. # Verify image header ([[IMG1]] 2.0): perform SHA1 then AES of first 0x40 bytes, compare against stored sum. # Parse footer certificates and verify footer signature against body (undocumented). # Decrypt and jump into body. == Certificate parsing == The certificate parsing code is subject to [[Pwnage 2.0]]. This is one of the few codebases shared with iBoot/SecureROM, and is why the bug was portable to the Nano bootroms. == DFU mode == The DFU mode codebase seems to be different from the iBoot/SecureROM codebase, with very little code shared (perhaps apart from low-level DWC2 OTG register access code). There are no iBoot-like tasks present, the heap is very minimalistic (bitmap based), and the entire data transfer is effectively performed in poll/synchronous mode. The difference between the Nano and SecureROM bootrom codebases seem to be the main cause of none of the SecureROM USB exploits working (steaks4uce, usb_control_msg(0xa1, 1), checkm8, etc. However, a full pass over the USB codepaths is still yet to be performed. 55ebf82aa01f8937d1a953e4568d336ffe91d780 21905 21904 2021-12-09T22:24:26Z Q3k 6232 wikitext text/x-wiki == Introduction == The iPod Nano 4G bootrom is different from the iBoot/SecureROM bootrom present on iOS-based S5L8720 devices, like the iPod Touch 2G. The reverse engineering efforts below have been based on a ROM extract from a Nano 4g with the following SHA256 sum: 9cc05fb83024c9d51fd31c97a137447ce5ea87fe7cefba7b9aa6d54609bfbafb . == BootROM functionality == The BootROM can perform the following actions: # Boot from NAND flash (via built-in flash translation layer implementation) # Boot from some other unknown storage (NOR? Although NOR is not present on the N4G...) # Boot from USB DFU mode. The mode is selected based on straps, pressed buttons and mode priorities (first NAND or 'NOR' is performed, then DFU). All three boot paths end up performing the same [[IMG1|image]] verification steps: # Load image into memory at beginning of SRAM. # Verify image header ([[IMG1]] 2.0): perform SHA1 then AES of first 0x40 bytes, compare against stored sum. # Parse footer certificates and verify footer signature against body (undocumented). # Decrypt and jump into body. == Certificate parsing == The certificate parsing code is subject to [[Pwnage 2.0]]. This is one of the few codebases shared with iBoot/SecureROM, and is why the bug was portable to the Nano bootroms. == DFU mode == The DFU mode codebase seems to be different from the iBoot/SecureROM codebase, with very little code shared (perhaps apart from low-level DWC2 OTG register access code). There are no iBoot-like tasks present, the heap is very minimalistic (bitmap based), and the entire data transfer is effectively performed in poll/synchronous mode. The difference between the Nano and SecureROM bootrom codebases seem to be the main cause of none of the SecureROM USB exploits working (steaks4uce, usb_control_msg(0xa1, 1), checkm8, etc. However, a full pass over the USB codepaths is still yet to be performed. bc9874c596188c01b9a1b99ecaaba0371f8b4781 21907 21905 2021-12-09T22:27:50Z Q3k 6232 /* DFU mode */ wikitext text/x-wiki == Introduction == The iPod Nano 4G bootrom is different from the iBoot/SecureROM bootrom present on iOS-based S5L8720 devices, like the iPod Touch 2G. The reverse engineering efforts below have been based on a ROM extract from a Nano 4g with the following SHA256 sum: 9cc05fb83024c9d51fd31c97a137447ce5ea87fe7cefba7b9aa6d54609bfbafb . == BootROM functionality == The BootROM can perform the following actions: # Boot from NAND flash (via built-in flash translation layer implementation) # Boot from some other unknown storage (NOR? Although NOR is not present on the N4G...) # Boot from USB DFU mode. The mode is selected based on straps, pressed buttons and mode priorities (first NAND or 'NOR' is performed, then DFU). All three boot paths end up performing the same [[IMG1|image]] verification steps: # Load image into memory at beginning of SRAM. # Verify image header ([[IMG1]] 2.0): perform SHA1 then AES of first 0x40 bytes, compare against stored sum. # Parse footer certificates and verify footer signature against body (undocumented). # Decrypt and jump into body. == Certificate parsing == The certificate parsing code is subject to [[Pwnage 2.0]]. This is one of the few codebases shared with iBoot/SecureROM, and is why the bug was portable to the Nano bootroms. == DFU mode == The DFU mode codebase seems to be different from the iBoot/SecureROM codebase, with very little code shared (perhaps apart from low-level DesignWare HS OTG register access code). There are no iBoot-like tasks present, the heap is very minimalistic (bitmap based, so no unlink/house of $x heap attacks), and the entire data transfer is effectively performed in poll/synchronous mode (with all transfers initiated via USB DMA directly into temporary receive buffers). The difference between the Nano and SecureROM bootrom codebases seem to be the main cause of none of the SecureROM USB exploits working (steaks4uce, usb_control_msg(0xa1, 1), checkm8, etc. However, a full pass over the USB codepaths is still yet to be performed, other vulnerabilities are likely to exist. 21b1f74133c89519044e445cbb38ba37e75a855a 0 200 21894 2941 2021-12-09T21:33:03Z Q3k 6232 wikitext text/x-wiki The Pwnage 2.0 bug/exploit targets and is present in early S5L8xxx bootroms: both iOS-world SecureROM and iPod-world bootroms. == Background == This information is based on the reverse-engineering of the iPod Nano 4G [[S5L8720 Bootrom]]. All function/structure names present are pulled out of thin air. After performing header validation (SHA1 & AES), the bootrom parses the certificates present at the footer of an uploaded image. These certificates are plain DER-encoded ASN.1 X.509 certificates, and thus their parsing logic is quite complex. For reference, see RFC5280. === WTF === The WTF (What's That Firmware?) payload is the typical payload executed over DFU by the bootrom. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads [http://www.trejan.com/projects/ipod/phobos.html here]. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu. === ASN.1/DER Parsing === The bootrom has a few complex structures used to handle the parsing, most notably every ASN.1 type parsed (X.509 Certificate/TBSCertificate and X.509 Name). Each one of the types is parsed based on a common function (der::parse) called with a different der::step array. A der::step looks as follows: struct der::step { uint32 asn1_tag; uint8 match_content_length; void *visitor_or_content; int step_depth; int step_breadth; uint flags; } With flags being a bitmap of: #define FLAG_CHECK_CONTENT_ONLY 1 #define FLAG_VISIT_CONTENT_ONLY 2 #define FLAG_VISIT_ALL 4 #define FLAG_OPTIONAL 8 der::parse streams (linearly) every DER tag/field present in the given blob, and in parallel walks through the array of der::steps. It matches the tag from the blob against the asn1_tag field of the der::step. If they don't match (and FLAG_OPTIONAL isn't set), the whole parse fails. If they do match, the following action is taken: * If FLAG_CHECK_CONTENT_ONLY is set, the content of the streamed field is compared against visitor_or_content interpreted as a byte array of match_content_length bytes. If the content doesn't match, the parse fails. * If FLAG_VISIT_CONTENT_ONLY is set, visitor_or_content is interpreted as a function pointer and called with the content of the ASN.1 field being currently visited. If the visitor returns an error, the parse fails. * If FLAG_VISIT_ALL is set, visitor_or_content is interpreted as a function pointer and called with the entire ASN.1 field (including tag and length bytes). If the visitor returns an error, the parse fails. Then, a ASN.1 field tree traversal action is performed: * If step_depth != -1, the current field extents and current step are pushed on an internal stack, and the inner contents of the field continue being parsed starting at der::steps[step_depth]. If the internal stack overflows, the parse fails. * If step_breadth != -1, the current field is skipped and the next field continues to be parsed by der::steps[step_breadth]. * Otherwise (both step_depth == -1 and step_breadth == -1), the internal stack is 'popped' and both the DER streaming and der::step is restored to whatever was saved on the internal stack. The der::step that was pushed has its step_breadth consulted for the next step to be executed, if that is also -1 then the stack continues to be popped. The parse fails if the stack underflows. As the parse continues through the DER byte stream and the der::steps, a structure is constructed and populated with information retrieved from the certificate by the visitors. For example, the signatureAlgorithm field is recorded, the entire TBSCertificate structure extents are recorded, etc. After the parse of the certificate is done, two more der::parse executions happen: on the issuerName and subjectName as recorded by the certificate visitors. == Certificate Parsing Bug == Most of the visitors in der::steps take care to never trust the lengths specified in the DER stream. However, one visitor (Certificate der::step[29]) is an exception - it copies over data from the expected signatureValue field in Certificate into the structure holding parsed certificate data without checking for maximum length. === Exploiting the bug === (The following applies to the Nano 4G [[S5L8720 Bootrom]]. Every bootrom will likely have slightly different offsets.) The target structure (der::cert::parse_ctx) looks as follows: struct der::cert::parse_ctx { uint tbs_certificate_len; byte *tbs_certificate_data; uint version; uint algorithm_len; byte *algorithm_data; uint issuer_len; byte *issuer_data; uint subject_len; byte *subject_data; uint extension_oid_len; byte *extension_oid_data; byte extension_critical; der::cert::certificate *certobj; } The signatureValue is copied to ctx->certobj->signatureValue; der::cert::certificate looks as follows: struct der::cert::certificate { byte unimportant[1036]; // parsed certificate fields byte authorityKeyIdentifier[20]; byte signatureValue[256]; uint signatureValue_len; uint der_outer_sig_alg_type; byte[20] sha1_tbs_calculated; byte[20] sha1_all_calculated; uint unknown; } Now, certobj in der::cert::parse_ctx is a pointer. Where is the data actually held? It's in yet another object, der::chain::parse_ctx, which is the overarcching structure used to parse the entire certificate chain (three certificates): struct der::chain::parse_ctx { uint unknown[2]; der::cert::parse_ctx current_cert; der::cert::certificate[3] chain_certs; } For every certificate in the chain, cert::der::parse is called on der::chain::parse_ctx->current_cert, whose certobj is populated by one of chain_certs (each one after the other as the chain is parsed). Due to earlier checks, three certificates must be present in the footer for them to be parsed at all. Finally, where is der::chain::parse_ctx stored? On the stack! In fact, directly after der::chain::parse_ctx there are 0x24 bytes of saved registers, with the last 4 bytes being the saved LR. Thus, to mount the attack, we need to do the following: # Present the BootROM with a valid image header with some certificates after the body. The body never gets to be checked or decrypted, so we can write anything we want there (as long as the sizes match the sizes in the header). # Provide three certificates in the chain that match the bare minimum required by the certificate DER parse steps. # Make the last certificate's signatureValue overflow into the saved LR. The original buffer is 256 bytes, we need to overflow it by 308 bytes to leave the der::chain::parse_ctx structure, then by 0x20 bytes more to reach the saved LR, then provide 4 bytes of PC to override. Since the signatureValue is an ASN.1 BIT STRING, we need to prefix the tag value with a zero. This gives us in total 600 or 601 bytes to fill signatureValue with. If we can't generate arbitrary image headers to set arbitrary footer certificate sizes we need to pad all certificates involved so that the signatureValue of the last cert is exactly the size we want to overflow (or at least not too long so that the copy doesn't cause a write to unmapped memory). Afterwards, with code exec, we can use the HW AES engine to sign arbitrary headers to not have to worry about sizes. Crafting the certificates is an exercise left to the reader. Maybe the exact constraints and process will be listed here at some point, but starting out with certificates from a legitimate WTF file and mangling the last certificate to overflow by exactly 600 bytes is a good start (possibly adjusting previous certs to make some space for the longer signatureValue). === Payload === The easiest place to stuff the payload is in the body of the image. The bootrom never gets to checking or decrypting it, so we can easily just put some executable code there. Depending on the bootrom, the image body will be placed somewhere in the beginning of SRAM (0x22000600 for Nano4g). Then, our stack smash can simply point to that address and we get code execution. f2a66450bd2c9d76cccc2c08224acfc165143775 21898 21894 2021-12-09T21:47:00Z Q3k 6232 wikitext text/x-wiki The Pwnage 2.0 bug/exploit targets and is present in early S5L8xxx bootroms: both iOS-world SecureROM and iPod-world bootroms. == Background == This information is based on the reverse-engineering of the iPod Nano 4G [[S5L8720 Bootrom]]. All function/structure names present are pulled out of thin air. After performing header validation (SHA1 & AES), the bootrom parses the certificates present at the footer of an uploaded image. These certificates are plain DER-encoded ASN.1 X.509 certificates, and thus their parsing logic is quite complex. For reference, see RFC5280. === WTF === The WTF (What's That Firmware?) payload is the typical payload executed over DFU by the bootrom. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads [http://www.trejan.com/projects/ipod/phobos.html here]. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu. === ASN.1/DER Parsing === The bootrom has a few complex structures used to handle the parsing, most notably every ASN.1 type parsed (X.509 Certificate/TBSCertificate and X.509 Name). Each one of the types is parsed based on a common function (der::parse) called with a different der::step array. A der::step looks as follows: struct der::step { uint32 asn1_tag; uint8 match_content_length; void *visitor_or_content; int step_depth; int step_breadth; uint flags; } With flags being a bitmap of: #define FLAG_CHECK_CONTENT_ONLY 1 #define FLAG_VISIT_CONTENT_ONLY 2 #define FLAG_VISIT_ALL 4 #define FLAG_OPTIONAL 8 der::parse streams (linearly) every DER tag/field present in the given blob, and in parallel walks through the array of der::steps. It matches the tag from the blob against the asn1_tag field of the der::step. If they don't match (and FLAG_OPTIONAL isn't set), the whole parse fails. If they do match, the following action is taken: * If FLAG_CHECK_CONTENT_ONLY is set, the content of the streamed field is compared against visitor_or_content interpreted as a byte array of match_content_length bytes. If the content doesn't match, the parse fails. * If FLAG_VISIT_CONTENT_ONLY is set, visitor_or_content is interpreted as a function pointer and called with the content of the ASN.1 field being currently visited. If the visitor returns an error, the parse fails. * If FLAG_VISIT_ALL is set, visitor_or_content is interpreted as a function pointer and called with the entire ASN.1 field (including tag and length bytes). If the visitor returns an error, the parse fails. Then, a ASN.1 field tree traversal action is performed: * If step_depth != -1, the current field extents and current step are pushed on an internal stack, and the inner contents of the field continue being parsed starting at der::steps[step_depth]. If the internal stack overflows, the parse fails. * If step_breadth != -1, the current field is skipped and the next field continues to be parsed by der::steps[step_breadth]. * Otherwise (both step_depth == -1 and step_breadth == -1), the internal stack is 'popped' and both the DER streaming and der::step is restored to whatever was saved on the internal stack. The der::step that was pushed has its step_breadth consulted for the next step to be executed, if that is also -1 then the stack continues to be popped. The parse fails if the stack underflows. As the parse continues through the DER byte stream and the der::steps, a structure is constructed and populated with information retrieved from the certificate by the visitors. For example, the signatureAlgorithm field is recorded, the entire TBSCertificate structure extents are recorded, etc. After the parse of the certificate is done, two more der::parse executions happen: on the issuerName and subjectName as recorded by the certificate visitors. == Certificate Parsing Bug == Most of the visitors in der::steps take care to never trust the lengths specified in the DER stream. However, one visitor (Certificate der::step[29]) is an exception - it copies over data from the expected signatureValue field in Certificate into the structure holding parsed certificate data without checking for maximum length. === Exploiting the bug === (The following applies to the Nano 4G [[S5L8720 Bootrom]]. Every bootrom will likely have slightly different offsets.) The target structure (der::cert::parse_ctx) looks as follows: struct der::cert::parse_ctx { uint tbs_certificate_len; byte *tbs_certificate_data; uint version; uint algorithm_len; byte *algorithm_data; uint issuer_len; byte *issuer_data; uint subject_len; byte *subject_data; uint extension_oid_len; byte *extension_oid_data; byte extension_critical; der::cert::certificate *certobj; } The signatureValue is copied to ctx->certobj->signatureValue; der::cert::certificate looks as follows: struct der::cert::certificate { byte unimportant[1036]; // parsed certificate fields byte authorityKeyIdentifier[20]; byte signatureValue[256]; uint signatureValue_len; uint der_outer_sig_alg_type; byte[20] sha1_tbs_calculated; byte[20] sha1_all_calculated; uint unknown; } Now, certobj in der::cert::parse_ctx is a pointer. Where is the data actually held? It's in yet another object, der::chain::parse_ctx, which is the overarcching structure used to parse the entire certificate chain (three certificates): struct der::chain::parse_ctx { uint unknown[2]; der::cert::parse_ctx current_cert; der::cert::certificate[3] chain_certs; } For every certificate in the chain, cert::der::parse is called on der::chain::parse_ctx->current_cert, whose certobj is populated by one of chain_certs (each one after the other as the chain is parsed). Due to earlier checks, three certificates must be present in the footer for them to be parsed at all. Finally, where is der::chain::parse_ctx stored? On the stack! In fact, directly after der::chain::parse_ctx there are 0x24 bytes of saved registers, with the last 4 bytes being the saved LR. Thus, to mount the attack, we need to do the following: # Present the BootROM with a valid image header with some certificates after the body. The body never gets to be checked or decrypted, so we can write anything we want there (as long as the sizes match the sizes in the header). # Provide three certificates in the chain that match the bare minimum required by the certificate DER parse steps. # Make the last certificate's signatureValue overflow into the saved LR. The original buffer is 256 bytes, we need to overflow it by 308 bytes to leave the der::chain::parse_ctx structure, then by 0x20 bytes more to reach the saved LR, then provide 4 bytes of PC to override. Since the signatureValue is an ASN.1 BIT STRING, we need to prefix the tag value with a zero. This gives us in total 344 or 345 bytes to fill signatureValue with. If we can't generate arbitrary image headers to set arbitrary footer certificate sizes we need to pad all certificates involved so that the signatureValue of the last cert is exactly the size we want to overflow (or at least not too long so that the copy doesn't cause a write to unmapped memory). Afterwards, with code exec, we can use the HW AES engine to sign arbitrary headers to not have to worry about sizes. Crafting the certificates is an exercise left to the reader. Maybe the exact constraints and process will be listed here at some point, but starting out with certificates from a legitimate WTF file and mangling the last certificate to overflow by exactly 344 bytes is a good start (possibly adjusting previous certs to make some space for the longer signatureValue). === Payload === The easiest place to stuff the payload is in the body of the image. The bootrom never gets to checking or decrypting it, so we can easily just put some executable code there. Depending on the bootrom, the image body will be placed somewhere in the beginning of SRAM (0x22000600 for Nano4g). Then, our stack smash can simply point to that address and we get code execution. 3a8c4e7e6ee185b3d3dd683c5a93eeacd2102eab 21899 21898 2021-12-09T21:47:36Z Q3k 6232 /* Exploiting the bug */ wikitext text/x-wiki The Pwnage 2.0 bug/exploit targets and is present in early S5L8xxx bootroms: both iOS-world SecureROM and iPod-world bootroms. == Background == This information is based on the reverse-engineering of the iPod Nano 4G [[S5L8720 Bootrom]]. All function/structure names present are pulled out of thin air. After performing header validation (SHA1 & AES), the bootrom parses the certificates present at the footer of an uploaded image. These certificates are plain DER-encoded ASN.1 X.509 certificates, and thus their parsing logic is quite complex. For reference, see RFC5280. === WTF === The WTF (What's That Firmware?) payload is the typical payload executed over DFU by the bootrom. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads [http://www.trejan.com/projects/ipod/phobos.html here]. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu. === ASN.1/DER Parsing === The bootrom has a few complex structures used to handle the parsing, most notably every ASN.1 type parsed (X.509 Certificate/TBSCertificate and X.509 Name). Each one of the types is parsed based on a common function (der::parse) called with a different der::step array. A der::step looks as follows: struct der::step { uint32 asn1_tag; uint8 match_content_length; void *visitor_or_content; int step_depth; int step_breadth; uint flags; } With flags being a bitmap of: #define FLAG_CHECK_CONTENT_ONLY 1 #define FLAG_VISIT_CONTENT_ONLY 2 #define FLAG_VISIT_ALL 4 #define FLAG_OPTIONAL 8 der::parse streams (linearly) every DER tag/field present in the given blob, and in parallel walks through the array of der::steps. It matches the tag from the blob against the asn1_tag field of the der::step. If they don't match (and FLAG_OPTIONAL isn't set), the whole parse fails. If they do match, the following action is taken: * If FLAG_CHECK_CONTENT_ONLY is set, the content of the streamed field is compared against visitor_or_content interpreted as a byte array of match_content_length bytes. If the content doesn't match, the parse fails. * If FLAG_VISIT_CONTENT_ONLY is set, visitor_or_content is interpreted as a function pointer and called with the content of the ASN.1 field being currently visited. If the visitor returns an error, the parse fails. * If FLAG_VISIT_ALL is set, visitor_or_content is interpreted as a function pointer and called with the entire ASN.1 field (including tag and length bytes). If the visitor returns an error, the parse fails. Then, a ASN.1 field tree traversal action is performed: * If step_depth != -1, the current field extents and current step are pushed on an internal stack, and the inner contents of the field continue being parsed starting at der::steps[step_depth]. If the internal stack overflows, the parse fails. * If step_breadth != -1, the current field is skipped and the next field continues to be parsed by der::steps[step_breadth]. * Otherwise (both step_depth == -1 and step_breadth == -1), the internal stack is 'popped' and both the DER streaming and der::step is restored to whatever was saved on the internal stack. The der::step that was pushed has its step_breadth consulted for the next step to be executed, if that is also -1 then the stack continues to be popped. The parse fails if the stack underflows. As the parse continues through the DER byte stream and the der::steps, a structure is constructed and populated with information retrieved from the certificate by the visitors. For example, the signatureAlgorithm field is recorded, the entire TBSCertificate structure extents are recorded, etc. After the parse of the certificate is done, two more der::parse executions happen: on the issuerName and subjectName as recorded by the certificate visitors. == Certificate Parsing Bug == Most of the visitors in der::steps take care to never trust the lengths specified in the DER stream. However, one visitor (Certificate der::step[29]) is an exception - it copies over data from the expected signatureValue field in Certificate into the structure holding parsed certificate data without checking for maximum length. === Exploiting the bug === (The following applies to the Nano 4G [[S5L8720 Bootrom]]. Every bootrom will likely have slightly different offsets.) The target structure (der::cert::parse_ctx) looks as follows: struct der::cert::parse_ctx { uint tbs_certificate_len; byte *tbs_certificate_data; uint version; uint algorithm_len; byte *algorithm_data; uint issuer_len; byte *issuer_data; uint subject_len; byte *subject_data; uint extension_oid_len; byte *extension_oid_data; byte extension_critical; der::cert::certificate *certobj; } The signatureValue is copied to ctx->certobj->signatureValue; der::cert::certificate looks as follows: struct der::cert::certificate { byte unimportant[1036]; // parsed certificate fields byte authorityKeyIdentifier[20]; byte signatureValue[256]; uint signatureValue_len; uint der_outer_sig_alg_type; byte[20] sha1_tbs_calculated; byte[20] sha1_all_calculated; uint unknown; } Now, certobj in der::cert::parse_ctx is a pointer. Where is the data actually held? It's in yet another object, der::chain::parse_ctx, which is the overarcching structure used to parse the entire certificate chain (three certificates): struct der::chain::parse_ctx { uint unknown[2]; der::cert::parse_ctx current_cert; der::cert::certificate[3] chain_certs; } For every certificate in the chain, cert::der::parse is called on der::chain::parse_ctx->current_cert, whose certobj is populated by one of chain_certs (each one after the other as the chain is parsed). Due to earlier checks, three certificates must be present in the footer for them to be parsed at all. Finally, where is der::chain::parse_ctx stored? On the stack! In fact, directly after der::chain::parse_ctx there are 0x24 bytes of saved registers, with the last 4 bytes being the saved LR. Thus, to mount the attack, we need to do the following: # Present the BootROM with a valid image header with some certificates after the body. The body never gets to be checked or decrypted, so we can write anything we want there (as long as the sizes match the sizes in the header). # Provide three certificates in the chain that match the bare minimum required by the certificate DER parse steps. # Make the last certificate's signatureValue overflow into the saved LR. The original buffer is 256 bytes, we need to overflow it by 308 bytes (256 + 52) to leave the der::chain::parse_ctx structure, then by 0x20 more bytes to reach the saved LR, then provide 4 bytes of PC to override. Since the signatureValue is an ASN.1 BIT STRING, we need to prefix the tag value with a zero. This gives us in total 344 or 345 bytes to fill signatureValue with. If we can't generate arbitrary image headers to set arbitrary footer certificate sizes we need to pad all certificates involved so that the signatureValue of the last cert is exactly the size we want to overflow (or at least not too long so that the copy doesn't cause a write to unmapped memory). Afterwards, with code exec, we can use the HW AES engine to sign arbitrary headers to not have to worry about sizes. Crafting the certificates is an exercise left to the reader. Maybe the exact constraints and process will be listed here at some point, but starting out with certificates from a legitimate WTF file and mangling the last certificate to overflow by exactly 344 bytes is a good start (possibly adjusting previous certs to make some space for the longer signatureValue). === Payload === The easiest place to stuff the payload is in the body of the image. The bootrom never gets to checking or decrypting it, so we can easily just put some executable code there. Depending on the bootrom, the image body will be placed somewhere in the beginning of SRAM (0x22000600 for Nano4g). Then, our stack smash can simply point to that address and we get code execution. 489ec4f86384cc355fb5b74cfe62707f73ae2563 21900 21899 2021-12-09T21:48:53Z Q3k 6232 /* Exploiting the bug */ wikitext text/x-wiki The Pwnage 2.0 bug/exploit targets and is present in early S5L8xxx bootroms: both iOS-world SecureROM and iPod-world bootroms. == Background == This information is based on the reverse-engineering of the iPod Nano 4G [[S5L8720 Bootrom]]. All function/structure names present are pulled out of thin air. After performing header validation (SHA1 & AES), the bootrom parses the certificates present at the footer of an uploaded image. These certificates are plain DER-encoded ASN.1 X.509 certificates, and thus their parsing logic is quite complex. For reference, see RFC5280. === WTF === The WTF (What's That Firmware?) payload is the typical payload executed over DFU by the bootrom. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads [http://www.trejan.com/projects/ipod/phobos.html here]. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu. === ASN.1/DER Parsing === The bootrom has a few complex structures used to handle the parsing, most notably every ASN.1 type parsed (X.509 Certificate/TBSCertificate and X.509 Name). Each one of the types is parsed based on a common function (der::parse) called with a different der::step array. A der::step looks as follows: struct der::step { uint32 asn1_tag; uint8 match_content_length; void *visitor_or_content; int step_depth; int step_breadth; uint flags; } With flags being a bitmap of: #define FLAG_CHECK_CONTENT_ONLY 1 #define FLAG_VISIT_CONTENT_ONLY 2 #define FLAG_VISIT_ALL 4 #define FLAG_OPTIONAL 8 der::parse streams (linearly) every DER tag/field present in the given blob, and in parallel walks through the array of der::steps. It matches the tag from the blob against the asn1_tag field of the der::step. If they don't match (and FLAG_OPTIONAL isn't set), the whole parse fails. If they do match, the following action is taken: * If FLAG_CHECK_CONTENT_ONLY is set, the content of the streamed field is compared against visitor_or_content interpreted as a byte array of match_content_length bytes. If the content doesn't match, the parse fails. * If FLAG_VISIT_CONTENT_ONLY is set, visitor_or_content is interpreted as a function pointer and called with the content of the ASN.1 field being currently visited. If the visitor returns an error, the parse fails. * If FLAG_VISIT_ALL is set, visitor_or_content is interpreted as a function pointer and called with the entire ASN.1 field (including tag and length bytes). If the visitor returns an error, the parse fails. Then, a ASN.1 field tree traversal action is performed: * If step_depth != -1, the current field extents and current step are pushed on an internal stack, and the inner contents of the field continue being parsed starting at der::steps[step_depth]. If the internal stack overflows, the parse fails. * If step_breadth != -1, the current field is skipped and the next field continues to be parsed by der::steps[step_breadth]. * Otherwise (both step_depth == -1 and step_breadth == -1), the internal stack is 'popped' and both the DER streaming and der::step is restored to whatever was saved on the internal stack. The der::step that was pushed has its step_breadth consulted for the next step to be executed, if that is also -1 then the stack continues to be popped. The parse fails if the stack underflows. As the parse continues through the DER byte stream and the der::steps, a structure is constructed and populated with information retrieved from the certificate by the visitors. For example, the signatureAlgorithm field is recorded, the entire TBSCertificate structure extents are recorded, etc. After the parse of the certificate is done, two more der::parse executions happen: on the issuerName and subjectName as recorded by the certificate visitors. == Certificate Parsing Bug == Most of the visitors in der::steps take care to never trust the lengths specified in the DER stream. However, one visitor (Certificate der::step[29]) is an exception - it copies over data from the expected signatureValue field in Certificate into the structure holding parsed certificate data without checking for maximum length. === Exploiting the bug === (The following applies to the Nano 4G [[S5L8720 Bootrom]]. Every bootrom will likely have slightly different offsets.) The target structure (der::cert::parse_ctx) looks as follows: struct der::cert::parse_ctx { uint tbs_certificate_len; byte *tbs_certificate_data; uint version; uint algorithm_len; byte *algorithm_data; uint issuer_len; byte *issuer_data; uint subject_len; byte *subject_data; uint extension_oid_len; byte *extension_oid_data; byte extension_critical; der::cert::certificate *certobj; } The signatureValue is copied to ctx->certobj->signatureValue; der::cert::certificate looks as follows: struct der::cert::certificate { byte unimportant[1016]; // parsed certificate fields byte authorityKeyIdentifier[20]; byte signatureValue[256]; uint signatureValue_len; uint der_outer_sig_alg_type; byte sha1_tbs_calculated[20]; byte sha1_all_calculated[20]; uint unknown; } Now, certobj in der::cert::parse_ctx is a pointer. Where is the data actually held? It's in yet another object, der::chain::parse_ctx, which is the overarcching structure used to parse the entire certificate chain (three certificates): struct der::chain::parse_ctx { uint unknown[2]; der::cert::parse_ctx current_cert; der::cert::certificate chain_certs[3]; } For every certificate in the chain, cert::der::parse is called on der::chain::parse_ctx->current_cert, whose certobj is populated by one of chain_certs (each one after the other as the chain is parsed). Due to earlier checks, three certificates must be present in the footer for them to be parsed at all. Finally, where is der::chain::parse_ctx stored? On the stack! In fact, directly after der::chain::parse_ctx there are 0x24 bytes of saved registers, with the last 4 bytes being the saved LR. Thus, to mount the attack, we need to do the following: # Present the BootROM with a valid image header with some certificates after the body. The body never gets to be checked or decrypted, so we can write anything we want there (as long as the sizes match the sizes in the header). # Provide three certificates in the chain that match the bare minimum required by the certificate DER parse steps. # Make the last certificate's signatureValue overflow into the saved LR. The original buffer is 256 bytes, we need to overflow it by 308 bytes (256 + 52) to leave the der::chain::parse_ctx structure, then by 0x20 more bytes to reach the saved LR, then provide 4 bytes of PC to override. Since the signatureValue is an ASN.1 BIT STRING, we need to prefix the tag value with a zero. This gives us in total 344 or 345 bytes to fill signatureValue with. If we can't generate arbitrary image headers to set arbitrary footer certificate sizes we need to pad all certificates involved so that the signatureValue of the last cert is exactly the size we want to overflow (or at least not too long so that the copy doesn't cause a write to unmapped memory). Afterwards, with code exec, we can use the HW AES engine to sign arbitrary headers to not have to worry about sizes. Crafting the certificates is an exercise left to the reader. Maybe the exact constraints and process will be listed here at some point, but starting out with certificates from a legitimate WTF file and mangling the last certificate to overflow by exactly 344 bytes is a good start (possibly adjusting previous certs to make some space for the longer signatureValue). === Payload === The easiest place to stuff the payload is in the body of the image. The bootrom never gets to checking or decrypting it, so we can easily just put some executable code there. Depending on the bootrom, the image body will be placed somewhere in the beginning of SRAM (0x22000600 for Nano4g). Then, our stack smash can simply point to that address and we get code execution. ae02136505cfe3b602ba8004bebbcfbd31617755 21903 21900 2021-12-09T22:23:39Z Q3k 6232 wikitext text/x-wiki The Pwnage 2.0 bug/exploit targets and is present in early S5L8xxx bootroms: both iOS-world SecureROM and iPod-world bootroms. == Background == This information is based on the reverse-engineering of the iPod Nano 4G [[S5L8720 Bootrom]]. All function/structure names present are pulled out of thin air. After performing header validation (SHA1 & AES), the bootrom parses the certificates present at the footer of an uploaded [[IMG1]]. These certificates are plain DER-encoded ASN.1 X.509 certificates, and thus their parsing logic is quite complex. For reference, see RFC5280. === WTF === The WTF (What's That Firmware?) payload is the typical payload executed over DFU by the bootrom. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads [http://www.trejan.com/projects/ipod/phobos.html here]. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu. === ASN.1/DER Parsing === The bootrom has a few complex structures used to handle the parsing, most notably every ASN.1 type parsed (X.509 Certificate/TBSCertificate and X.509 Name). Each one of the types is parsed based on a common function (der::parse) called with a different der::step array. A der::step looks as follows: struct der::step { uint32 asn1_tag; uint8 match_content_length; void *visitor_or_content; int step_depth; int step_breadth; uint flags; } With flags being a bitmap of: #define FLAG_CHECK_CONTENT_ONLY 1 #define FLAG_VISIT_CONTENT_ONLY 2 #define FLAG_VISIT_ALL 4 #define FLAG_OPTIONAL 8 der::parse streams (linearly) every DER tag/field present in the given blob, and in parallel walks through the array of der::steps. It matches the tag from the blob against the asn1_tag field of the der::step. If they don't match (and FLAG_OPTIONAL isn't set), the whole parse fails. If they do match, the following action is taken: * If FLAG_CHECK_CONTENT_ONLY is set, the content of the streamed field is compared against visitor_or_content interpreted as a byte array of match_content_length bytes. If the content doesn't match, the parse fails. * If FLAG_VISIT_CONTENT_ONLY is set, visitor_or_content is interpreted as a function pointer and called with the content of the ASN.1 field being currently visited. If the visitor returns an error, the parse fails. * If FLAG_VISIT_ALL is set, visitor_or_content is interpreted as a function pointer and called with the entire ASN.1 field (including tag and length bytes). If the visitor returns an error, the parse fails. Then, a ASN.1 field tree traversal action is performed: * If step_depth != -1, the current field extents and current step are pushed on an internal stack, and the inner contents of the field continue being parsed starting at der::steps[step_depth]. If the internal stack overflows, the parse fails. * If step_breadth != -1, the current field is skipped and the next field continues to be parsed by der::steps[step_breadth]. * Otherwise (both step_depth == -1 and step_breadth == -1), the internal stack is 'popped' and both the DER streaming and der::step is restored to whatever was saved on the internal stack. The der::step that was pushed has its step_breadth consulted for the next step to be executed, if that is also -1 then the stack continues to be popped. The parse fails if the stack underflows. As the parse continues through the DER byte stream and the der::steps, a structure is constructed and populated with information retrieved from the certificate by the visitors. For example, the signatureAlgorithm field is recorded, the entire TBSCertificate structure extents are recorded, etc. After the parse of the certificate is done, two more der::parse executions happen: on the issuerName and subjectName as recorded by the certificate visitors. == Certificate Parsing Bug == Most of the visitors in der::steps take care to never trust the lengths specified in the DER stream. However, one visitor (Certificate der::step[29]) is an exception - it copies over data from the expected signatureValue field in Certificate into the structure holding parsed certificate data without checking for maximum length. === Exploiting the bug === (The following applies to the Nano 4G [[S5L8720 Bootrom]]. Every bootrom will likely have slightly different offsets.) The target structure (der::cert::parse_ctx) looks as follows: struct der::cert::parse_ctx { uint tbs_certificate_len; byte *tbs_certificate_data; uint version; uint algorithm_len; byte *algorithm_data; uint issuer_len; byte *issuer_data; uint subject_len; byte *subject_data; uint extension_oid_len; byte *extension_oid_data; byte extension_critical; der::cert::certificate *certobj; } The signatureValue is copied to ctx->certobj->signatureValue; der::cert::certificate looks as follows: struct der::cert::certificate { byte unimportant[1016]; // parsed certificate fields byte authorityKeyIdentifier[20]; byte signatureValue[256]; uint signatureValue_len; uint der_outer_sig_alg_type; byte sha1_tbs_calculated[20]; byte sha1_all_calculated[20]; uint unknown; } Now, certobj in der::cert::parse_ctx is a pointer. Where is the data actually held? It's in yet another object, der::chain::parse_ctx, which is the overarcching structure used to parse the entire certificate chain (three certificates): struct der::chain::parse_ctx { uint unknown[2]; der::cert::parse_ctx current_cert; der::cert::certificate chain_certs[3]; } For every certificate in the chain, cert::der::parse is called on der::chain::parse_ctx->current_cert, whose certobj is populated by one of chain_certs (each one after the other as the chain is parsed). Due to earlier checks, three certificates must be present in the footer for them to be parsed at all. Finally, where is der::chain::parse_ctx stored? On the stack! In fact, directly after der::chain::parse_ctx there are 0x24 bytes of saved registers, with the last 4 bytes being the saved LR. Thus, to mount the attack, we need to do the following: # Present the BootROM with a valid image header with some certificates after the body. The body never gets to be checked or decrypted, so we can write anything we want there (as long as the sizes match the sizes in the header). # Provide three certificates in the chain that match the bare minimum required by the certificate DER parse steps. # Make the last certificate's signatureValue overflow into the saved LR. The original buffer is 256 bytes, we need to overflow it by 308 bytes (256 + 52) to leave the der::chain::parse_ctx structure, then by 0x20 more bytes to reach the saved LR, then provide 4 bytes of PC to override. Since the signatureValue is an ASN.1 BIT STRING, we need to prefix the tag value with a zero. This gives us in total 344 or 345 bytes to fill signatureValue with. If we can't generate arbitrary image headers to set arbitrary footer certificate sizes we need to pad all certificates involved so that the signatureValue of the last cert is exactly the size we want to overflow (or at least not too long so that the copy doesn't cause a write to unmapped memory). Afterwards, with code exec, we can use the HW AES engine to sign arbitrary headers to not have to worry about sizes. Crafting the certificates is an exercise left to the reader. Maybe the exact constraints and process will be listed here at some point, but starting out with certificates from a legitimate WTF file and mangling the last certificate to overflow by exactly 344 bytes is a good start (possibly adjusting previous certs to make some space for the longer signatureValue). === Payload === The easiest place to stuff the payload is in the body of the image. The bootrom never gets to checking or decrypting it, so we can easily just put some executable code there. Depending on the bootrom, the image body will be placed somewhere in the beginning of SRAM (0x22000600 for Nano4g). Then, our stack smash can simply point to that address and we get code execution. e571b1ed6be5bbcc1836e7636e6c7a07d38fa1ba 2 6418 21895 2021-12-09T21:34:53Z Q3k 6232 Created page with "q3k on libera.chat, @q3k:hackerspace.pl on Matrix." wikitext text/x-wiki q3k on libera.chat, @q3k:hackerspace.pl on Matrix. bff492f6c50ee543f3380ad4fa93351154539b25 0 6419 21901 2021-12-09T22:22:37Z Q3k 6232 Created page with "== Introduction == IMG1 is a pseudonym for the image format used by early iOS devices and all S5L-based iPods. It is sometimes called the '8900' image, which is how it was c..." wikitext text/x-wiki == Introduction == IMG1 is a pseudonym for the image format used by early iOS devices and all S5L-based iPods. It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF). The iPhone Wiki has some basic [https://www.theiphonewiki.com/wiki/S5L_File_Formats#8900 information about the format]. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. == IMG1 v2.0 == This is what we call the newer iteration of S5L images, as used in the Nano4G and up (and maybe Nano3G? to check). Here is the structure definition: struct IMG1_20 { char magic[4]; // SoC digits, eg. `8720`. char version[3]; // `2.0`. byte format; // Encryption/signature format: 3 for encrypted/signed. Same as IMG1 1.0. uint entrypoint; // Offset to jump to within body (after header). uint bodyLen; // Size of the image body, ie. the data loaded into memory, before the // signature/certificates start, after the header. uint dataLen; // Size of everything that's not the header (body + signature + certificates). uint footerCertOffset; // Offset of certificate start (after header). uint footerCertLen; // Size of certificate bundle. byte salt[32]; // Random data. ushort unk1; ushort unk2; // Security epoch? byte headerSign[16]; // AES-encrypted SHA1 signature of everything up to headerSign. byte headerLeftover[4]; // Last four bytes of unencrypted SHA1, usually leftover in images, but not // checked by firmware. Curiosity. } The header is padded to either 0x600 (S5L8720) or 0x400 (S5L8740) bytes. The different sections are a bit tricky to reason about, there's an attempted overview: 0: Header (0x40 + 0x14 bytes, first 0x40 signed into last 0x14 bytes) 0x54: Padding until $header_size (magic dependent, 0x600 in this example) 0x600: Body, bodyLen bytes. ... 0x600 + bodyLen: body signature 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle 0x680 + bodyLen + footerCertLen: end of file. The body signature is always 0x80 bytes long, and its length is not counted into bodyLen or footerCertLen. A few assertions should hold: # File size == $header_size + bodyLen + footerCertLen + 0x80 # dataLen = bodyLen + 0x80 + footerCertLen === Differences with v1.0 === There don't seem to be any practical differences, other than the different header padding sizes per device. Our field names are different from The iPhone Wiki, but the meaning seems of the fields seems to be the same? === Leftover SHA === It seems like whatever generates IMG1 images does so in the following pseudocode: sha1(src=data, srcLen=0x40, dst=data+0x40) aes(src=data+0x40, size=0x10) // data is ready, ship it! Because after the 0x10 bytes of the AES-encrypted SHA1 signature, there are 4 bytes of unencrypted SHA1 (because a SHA1 digest is 0x14 bytes, while an AES128 block is 0x10 bytes). This means that you can check the header signature yourself (or, well, 32 bits of the signature) by performing the following: sha1s(data[0:0x40]).digest()[-4:] == data[0x50:0x54] This has likely zero security implications, but is nonetheless a fascinating curiosity. 96a2c3db23e8c45b9ff9aa8be41eb9ecc1f69da8 21902 21901 2021-12-09T22:23:18Z Q3k 6232 /* IMG1 v2.0 */ wikitext text/x-wiki == Introduction == IMG1 is a pseudonym for the image format used by early iOS devices and all S5L-based iPods. It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF). The iPhone Wiki has some basic [https://www.theiphonewiki.com/wiki/S5L_File_Formats#8900 information about the format]. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. == IMG1 v2.0 == This is what we call the newer iteration of S5L images, as used in the Nano4G and up (and maybe Nano3G? to check). Here is the structure definition: struct IMG1_20 { char magic[4]; // SoC digits, eg. `8720`. char version[3]; // `2.0`. byte format; // Encryption/signature format: 3 for encrypted/signed. Same as IMG1 1.0. uint entrypoint; // Offset to jump to within body (after header). uint bodyLen; // Size of the image body, ie. the data loaded into memory, before the // signature/certificates start, after the header. uint dataLen; // Size of everything that's not the header (body + signature + certificates). uint footerCertOffset; // Offset of certificate start (after header). uint footerCertLen; // Size of certificate bundle. byte salt[32]; // Random data. ushort unk1; ushort unk2; // Security epoch? byte headerSign[16]; // AES-encrypted SHA1 signature of everything up to headerSign. byte headerLeftover[4]; // Last four bytes of unencrypted SHA1, usually leftover in images, but not // checked by firmware. Curiosity. } The header is padded to either 0x600 (S5L8720) or 0x400 (S5L8740) bytes. The different sections are a bit tricky to reason about, there's an attempted overview: 0: Header (0x40 + 0x14 bytes, first 0x40 signed into last 0x14 bytes) 0x54: Padding until $header_size (magic dependent, 0x600 in this example) 0x600: Body, bodyLen bytes. ... 0x600 + bodyLen: body signature 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle 0x680 + bodyLen + footerCertLen: end of file. The body signature is always 0x80 bytes long, and its length is not counted into bodyLen or footerCertLen. A few assertions should hold: # File size == $header_size + bodyLen + footerCertLen + 0x80 # dataLen = bodyLen + 0x80 + footerCertLen === Differences with v1.0 === There don't seem to be any practical differences, other than the different header padding sizes per device. Our field names are different from The iPhone Wiki, but the meaning seems of the fields seems to be the same? === Leftover SHA === It seems like whatever generates IMG1 images does so in the following pseudocode: sha1(src=data, srcLen=0x40, dst=data+0x40) aes(src=data+0x40, size=0x10) // data is ready, ship it! Because after the 0x10 bytes of the AES-encrypted SHA1 signature, there are 4 bytes of unencrypted SHA1 (because a SHA1 digest is 0x14 bytes, while an AES128 block is 0x10 bytes). This means that you can check the header signature yourself (or, well, 32 bits of the signature) by performing the following: sha1s(data[0:0x40]).digest()[-4:] == data[0x50:0x54] This has likely zero security implications, but is nonetheless a fascinating curiosity. b282f65e3bc56c7b286d03861829c7bce32c37dc 21917 21902 2022-01-12T22:04:15Z Q3k 6232 wikitext text/x-wiki == Introduction == IMG1 is a pseudonym for the image format used by early iOS devices and all S5L-based iPods. It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF). The iPhone Wiki has some basic [https://www.theiphonewiki.com/wiki/S5L_File_Formats#8900 information about the format]. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. Here we describe the known usage of IMG1, including its 2.0 version, in clickwheel iPods and non-iBoot bootroms. == Header Format == struct IMG1_20 { char magic[4]; // SoC digits, eg. `8720`. char version[3]; // `1.0` or `2.0` byte format; // Encryption/signature format. See below. uint entrypoint; // Offset to jump to within body (after header). uint bodyLen; // Size of the image body, ie. the data loaded into memory, before the // signature/certificates start, after the header. uint dataLen; // Size of everything that's not the header (body + signature + certificates). uint footerCertOffset; // Offset of certificate start (after header). uint footerCertLen; // Size of certificate bundle. byte salt[32]; // Random data. ushort unk1; ushort unk2; // Security epoch? byte headerSign[16]; // AES-encrypted SHA1 signature of everything up to headerSign. byte headerLeftover[4]; // Last four bytes of unencrypted SHA1, usually leftover in images, but not // checked by firmware. Curiosity. } The header is padded to either 0x600 (S5L8720) or 0x400 (S5L8740) bytes. The different sections are a bit tricky to reason about, there's an attempted overview: 0: Header (0x40 + 0x14 bytes, first 0x40 signed into last 0x14 bytes) 0x54: Padding until $header_size (magic dependent, 0x600 in this example) 0x600: Body, bodyLen bytes. ... 0x600 + bodyLen: body signature (for X509 formats) 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle (for X509 formats) 0x680 + bodyLen + footerCertLen: end of file. The body signature is always 0x80 bytes long, and its length is not counted into bodyLen or footerCertLen. A few assertions should hold: # File size == $header_size + bodyLen + footerCertLen + 0x80 # dataLen = bodyLen + 0x80 + footerCertLen === Encryption/Signature Formats === {| class="wikitable" |- ! Format (number) !! Header signed (SHA1+AES) !! Body encrypted !! Body signed (X509/RSA) !! Nodes |- | SIGNED_ENCRYPTED (1) || ✅ || ✅ || ❌ || Not accepted in 2.0. |- | SIGNED (2) || ✅ || ❌ || ❌ || Not accepted in 2.0. |- | X509_SIGNED_ENCRYPTED (3) || ✅ || ✅ || ✅|| Most (all?) released images have this type |- | X509_SIGNED (4) || ✅ || ❌ || ✅ || |} DFU mode in N3G,N4G,N5G seems only accepts X509_SIGNED_ENCRYPTED. Other boot modes (notably in N3G) seem to accept other formats, but that's to be verified. N4G+/2.0 do not accept any non-X509 formats. === Differences between v1.0 and 2.0 === Nano4G+ use 2.0. Everything else uses 1.0. 1.0 bootroms supports encryption formats 1,2, 3 and 4. 2.0 only supports encryption formats 3 and 4. When uploading IMG1 images via DFU, 1.0 images need to be suffixed with a CRC32 of their content. 2.0 images don't need the CRC32. === Leftover SHA in header === It seems like whatever generates IMG1 images does so in the following pseudocode: sha1(src=data, srcLen=0x40, dst=data+0x40) aes(src=data+0x40, size=0x10) // data is ready, ship it! Because after the 0x10 bytes of the AES-encrypted SHA1 signature, there are 4 bytes of unencrypted SHA1 (because a SHA1 digest is 0x14 bytes, while an AES128 block is 0x10 bytes). This means that you can check the header signature yourself (or, well, 32 bits of the signature) by performing the following: sha1s(data[0:0x40]).digest()[-4:] == data[0x50:0x54] This has likely zero security implications, but is nonetheless a fascinating curiosity. 9e3700bd5d8f2da85e38b421f9bac4c1374d11ec 21918 21917 2022-01-12T22:18:28Z Q3k 6232 wikitext text/x-wiki == Introduction == IMG1 is a pseudonym for the image format used by early iOS devices and all S5L-based iPods. It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF). The iPhone Wiki has some basic [https://www.theiphonewiki.com/wiki/S5L_File_Formats#8900 information about the format]. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. Here we describe the known usage of IMG1, including its 2.0 version, in clickwheel iPods and non-iBoot bootroms. == Header Format == struct IMG1_20 { char magic[4]; // SoC digits, eg. `8720`. char version[3]; // `1.0` or `2.0` byte format; // Encryption/signature format. See below. uint entrypoint; // Offset to jump to within body (after header). uint bodyLen; // Size of the image body, ie. the data loaded into memory, before the // signature/certificates start, after the header. uint dataLen; // Size of everything that's not the header (body + signature + certificates). uint footerCertOffset; // Offset of certificate start (after header). uint footerCertLen; // Size of certificate bundle. byte salt[32]; // Random data. ushort unk1; ushort unk2; // Security epoch? byte headerSign[16]; // AES-encrypted SHA1 signature of everything up to headerSign. byte headerLeftover[4]; // Last four bytes of unencrypted SHA1, usually leftover in images, but not // checked by firmware. Curiosity. } The header is padded to either 0x600 (S5L8720) or 0x400 (S5L8740) bytes. The different sections are a bit tricky to reason about, there's an attempted overview: 0: Header (0x40 + 0x14 bytes, first 0x40 signed into last 0x14 bytes) 0x54: Padding until $header_size (magic dependent, 0x600 in this example) 0x600: Body, bodyLen bytes. ... 0x600 + bodyLen: body signature (for X509 formats) 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle (for X509 formats) 0x680 + bodyLen + footerCertLen: end of file. The body signature is always 0x80 bytes long, and its length is not counted into bodyLen or footerCertLen. A few assertions should hold: # File size == $header_size + bodyLen + footerCertLen + 0x80 # dataLen = bodyLen + 0x80 + footerCertLen === Encryption/Signature Formats === {| class="wikitable" |- ! Format (number) !! Header signed (SHA1+AES) !! Body encrypted !! Body signed (X509/RSA) !! AES Operation !! Notes |- | SIGNED_ENCRYPTED (1) || ✅ || ✅ || ❌ || Encryption, Global/GID Key || Not accepted in 2.0. |- | SIGNED (2) || ✅ || ❌ || ❌ || Encryption, Global/GID Key || Not accepted in 2.0. |- | X509_SIGNED_ENCRYPTED (3) || ✅ || ✅ || ✅|| Decryption, Global/GID Key || Most (all?) released images have this type |- | X509_SIGNED (4) || ✅ || ❌ || ✅ || Decryption, Global/GID Key || |} DFU mode in N3G,N4G,N5G seems only accepts X509_SIGNED_ENCRYPTED. Other boot modes (notably in N3G) seem to accept other formats, but that's to be verified. N4G+/2.0 do not accept any non-X509 formats. === Differences between v1.0 and 2.0 === Nano4G+ use 2.0. Everything else uses 1.0. 1.0 bootroms supports encryption formats 1,2, 3 and 4. 2.0 only supports encryption formats 3 and 4. When uploading IMG1 images via DFU, 1.0 images need to be suffixed with a CRC32 of their content. 2.0 images don't need the CRC32. === Differences between iBoot/SecureROM and iPod images === The iPod images do not use 'Key 0x837', and in fact use the Global/GID key for all AES operations. The iPod images are sometimes decrypted using the encrypt direction of the AES engine (formats 1 and 2) and sometimes with the decrypt direction of the AES engine (formats 3 and 4). iBoot/SecureROM images seem to all use the decrypt direction. === Leftover SHA in header === It seems like whatever generates IMG1 images does so in the following pseudocode: sha1(src=data, srcLen=0x40, dst=data+0x40) aes(src=data+0x40, size=0x10) // data is ready, ship it! Because after the 0x10 bytes of the AES-encrypted SHA1 signature, there are 4 bytes of unencrypted SHA1 (because a SHA1 digest is 0x14 bytes, while an AES128 block is 0x10 bytes). This means that you can check the header signature yourself (or, well, 32 bits of the signature) by performing the following: sha1s(data[0:0x40]).digest()[-4:] == data[0x50:0x54] This has likely zero security implications, but is nonetheless a fascinating curiosity. fb5a04ae367c7a60ca3c28ea25e4a7384520c83e 0 243 21906 4203 2021-12-09T22:25:36Z Q3k 6232 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1176JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/literature/ds/12726.pdf LIS302DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | [http://www.cirrus.com/en/pubs/proDatasheet/CS42L55_F1.pdf CS42L58] | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | Dialog D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} == Bootrom == See [[S5L8720 Bootrom]]. ==Reverse Engineering Results== Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. ==Status registers== We dumped all c0 coprocessor registers: ===c0,c0=== '''Value:''' 0x410FB764 '''Interpretation:''' ARM1176 rev. 4 ===c0,c1=== '''Value:''' 0x1D152152 '''Interpretation:''' DCache/ICache 16KB each, 4 way associative, 32 bytes line size ===c0,c2=== '''Value:''' 0x00000000 '''Interpretation:''' No TCM ===c0,c3=== '''Value:''' 0x00000800 '''Interpretation:''' Unified TLB, 8 lockable entries ===c1,c0=== '''Value:''' 0x00000111 '''Interpretation:''' ARM/Thumb1/Jazelle support, no Thumb2 support ===c1,c1=== '''Value:''' 0x00000011 '''Interpretation:''' Trustzone v1 ===c1,c2=== '''Value:''' 0x00000033 '''Interpretation:''' Supports debug model v6.1, both applications processor and secure ===c1,c3=== '''Value:''' 0x00000000 '''Interpretation:''' No auxiliary features ===c1,c4=== '''Value:''' 0x01130003 '''Interpretation:''' FCSE, Auxiliary Control register, ARMv6 TCM/DMA, no DMA cache coherency, no multicore cache coherency, VMSA v7 ===c1,c5=== '''Value:''' 0x10030302 '''Interpretation:''' Branch target buffer, Harvard architecture, various cache operations supported (see TRM) ===c1,c6=== '''Value:''' 0x01222100 '''Interpretation:''' WFI, Data synchronization barrier, Prefetch flush, Data memory barrier, various TLB/cache operations supported (see TRM), no prefetch cache range operation ===c1,c7=== '''Value:''' 0x00000000 '''Interpretation:''' No hierarchical cache maintenance support ===c2,c0=== '''Value:''' 0x00140011 '''Interpretation:''' Supports BKPT, CDP, CDP2, LDC, LDC2, MCD, MCD2, MRC, MRC2, STC, STC2, MCRR, MCRR2, MRRC, MRRC2, CLZ, SWP and SWPB, doesn't support division, combined compare and branch or bitfield instructions ===c2,c1=== '''Value:''' 0x12002111 '''Interpretation:''' Supports BXJ, BX, BLX, PC loads have BX behavior, supports SXTB, SXTAB, SXTB16, SXTAB16, SXTH, SXTAH, UXTB, UXTAB, UXTB16, UXTAB16, UXTH, UXTAH, SRS, RFE, CPS, LDM(2), LDM(3), STM(2) and SETEND ===c2,c2=== '''Value:''' 0x11231121 '''Interpretation:''' Supports REV, REV16, REVSH, MRS, MSR, UMULL, UMLAL, UMAAL, SMULL, SMLAL, SMLABB, SMLABT, SMLALBB, SMLALBT, SMLALTB, SMLALTT, SMLATB, SMLATT, SMLAWB, SMLAWT, SMULBB, SMULBT, SMULTB, SMULTT, SMULWB, SMULWT, SMLAD, SMLADX, SMLALD, SMLALDX, SMLSD, SMLSDX, SMLSLD, SMLSLDX, SMMLA, SMMLAR, SMMLS, SMMLSR, SMMUL, SMMULR, SMUAD, SMUADX, SMUSD, SMUSDX, MLA, restartable LDM/STM, PLD, LDRD, STRD and Q bit in PSRs ===c2,c3=== '''Value:''' 0x01102131 '''Interpretation:''' Supports true NOP, Thumb MOV(3)/CPU, LDREX, STREX, LDREXB, LDREXH, LDREXD, STREXB, STREXH, STREXD, CLREX, SVC, PKHBT, PKHTB, QADD16, QADD8, QADDSUBX, QSUB16, QSUB8, QSUBADDX, SADD16, SADD8, SADDSUBX, SEL, SHADD16, SHADD8, SHADDSUBX, SHSUB16, SHSUB8, SHSUBADDX, SSAT, SSAT16, SSUB16, SSUB8, SSUBADDX, SXTAB16, SXTB16, UADD16, UADD8, UADDSUBX, UHADD16, UHADD8, UHADDSUBX, UHSUB16, UHSUB8, UHSUBADDX, UQADD16, UQADD8, UQADDSUBX, UQSUB16, UQSUB8, UQSUBADDX, USAD8, USADA8, USAT, USAT16, USUB16, USUB8, USUBADDX, UXTAB16, UXTB16, QADD, QDADD, QDSUB, QSUB, and the Q and GE[3:0] bits in the PSRs. Does nut support branch table and Thumb2 instructions. ===c2,c4=== '''Value:''' 0x00001141 '''Interpretation:''' Supports SMC, writeback instructions, shift of loads and stores by 0-3 bits to the left, constant shift options, register controlled shift options, LDRBT, LDRT, STRBT and STRT. No barrier instructions support. ===c2,c5=== '''Value:''' 0x00000000 '''Interpretation:''' No additional implementation defined instruction set extensions ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 1b09401861b4905673c0e6319086e6965224d3e1 21908 21906 2021-12-09T22:41:26Z Q3k 6232 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1176JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/literature/ds/12726.pdf LIS302DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | [http://www.cirrus.com/en/pubs/proDatasheet/CS42L55_F1.pdf CS42L58] | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | Dialog D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} == Bootrom == See [[S5L8720 Bootrom]]. Different from the S5L8720 bootrom used in the iPod Touch 2G (which is iBoot-based, a.k.a. SecureROM). == Memory Map == See [https://www.theiphonewiki.com/wiki/S5L8720_(Hardware)] and [https://code.google.com/archive/p/chronicdev/wikis/N72APDevTree.wiki]. In addition to the above, a few extra memory regions have been found while reverse engineering the [[S5L8720 Bootrom]]: {| class="wikitable" ! Name !! Address !! Notes |- | Mystery DMA | 0x3880_0000 | A PL080-like DMA engine, but with slightly different MMIO register structure. Used by the [[S5L8720 Bootrom|bootrom]] to copy the DFU payload from 0x2200_0600 to 0x2200_0000 after decryption and verification. Or maybe that's actually doing the decryption? To be investigated. |- | Mystery Interrupt Thing | 0x3a90_0000 | Not the VICs (0x38e0_0000, 0x38e0_1000), not the EdgeIC (0x38e0_2000). Seems to hold 7 different 32-bit registers for interrupt status at 0xa0, and 7 different 32-bit registers for interrupt mask at 0xc0. The 7 different registers correspond to 7 'modes' of ISRs set up in the bootrom. Not much is known about what it does, and what these 'modes' are. To be investigated. |} ==Reverse Engineering Results== Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. ==Status registers== We dumped all c0 coprocessor registers: ===c0,c0=== '''Value:''' 0x410FB764 '''Interpretation:''' ARM1176 rev. 4 ===c0,c1=== '''Value:''' 0x1D152152 '''Interpretation:''' DCache/ICache 16KB each, 4 way associative, 32 bytes line size ===c0,c2=== '''Value:''' 0x00000000 '''Interpretation:''' No TCM ===c0,c3=== '''Value:''' 0x00000800 '''Interpretation:''' Unified TLB, 8 lockable entries ===c1,c0=== '''Value:''' 0x00000111 '''Interpretation:''' ARM/Thumb1/Jazelle support, no Thumb2 support ===c1,c1=== '''Value:''' 0x00000011 '''Interpretation:''' Trustzone v1 ===c1,c2=== '''Value:''' 0x00000033 '''Interpretation:''' Supports debug model v6.1, both applications processor and secure ===c1,c3=== '''Value:''' 0x00000000 '''Interpretation:''' No auxiliary features ===c1,c4=== '''Value:''' 0x01130003 '''Interpretation:''' FCSE, Auxiliary Control register, ARMv6 TCM/DMA, no DMA cache coherency, no multicore cache coherency, VMSA v7 ===c1,c5=== '''Value:''' 0x10030302 '''Interpretation:''' Branch target buffer, Harvard architecture, various cache operations supported (see TRM) ===c1,c6=== '''Value:''' 0x01222100 '''Interpretation:''' WFI, Data synchronization barrier, Prefetch flush, Data memory barrier, various TLB/cache operations supported (see TRM), no prefetch cache range operation ===c1,c7=== '''Value:''' 0x00000000 '''Interpretation:''' No hierarchical cache maintenance support ===c2,c0=== '''Value:''' 0x00140011 '''Interpretation:''' Supports BKPT, CDP, CDP2, LDC, LDC2, MCD, MCD2, MRC, MRC2, STC, STC2, MCRR, MCRR2, MRRC, MRRC2, CLZ, SWP and SWPB, doesn't support division, combined compare and branch or bitfield instructions ===c2,c1=== '''Value:''' 0x12002111 '''Interpretation:''' Supports BXJ, BX, BLX, PC loads have BX behavior, supports SXTB, SXTAB, SXTB16, SXTAB16, SXTH, SXTAH, UXTB, UXTAB, UXTB16, UXTAB16, UXTH, UXTAH, SRS, RFE, CPS, LDM(2), LDM(3), STM(2) and SETEND ===c2,c2=== '''Value:''' 0x11231121 '''Interpretation:''' Supports REV, REV16, REVSH, MRS, MSR, UMULL, UMLAL, UMAAL, SMULL, SMLAL, SMLABB, SMLABT, SMLALBB, SMLALBT, SMLALTB, SMLALTT, SMLATB, SMLATT, SMLAWB, SMLAWT, SMULBB, SMULBT, SMULTB, SMULTT, SMULWB, SMULWT, SMLAD, SMLADX, SMLALD, SMLALDX, SMLSD, SMLSDX, SMLSLD, SMLSLDX, SMMLA, SMMLAR, SMMLS, SMMLSR, SMMUL, SMMULR, SMUAD, SMUADX, SMUSD, SMUSDX, MLA, restartable LDM/STM, PLD, LDRD, STRD and Q bit in PSRs ===c2,c3=== '''Value:''' 0x01102131 '''Interpretation:''' Supports true NOP, Thumb MOV(3)/CPU, LDREX, STREX, LDREXB, LDREXH, LDREXD, STREXB, STREXH, STREXD, CLREX, SVC, PKHBT, PKHTB, QADD16, QADD8, QADDSUBX, QSUB16, QSUB8, QSUBADDX, SADD16, SADD8, SADDSUBX, SEL, SHADD16, SHADD8, SHADDSUBX, SHSUB16, SHSUB8, SHSUBADDX, SSAT, SSAT16, SSUB16, SSUB8, SSUBADDX, SXTAB16, SXTB16, UADD16, UADD8, UADDSUBX, UHADD16, UHADD8, UHADDSUBX, UHSUB16, UHSUB8, UHSUBADDX, UQADD16, UQADD8, UQADDSUBX, UQSUB16, UQSUB8, UQSUBADDX, USAD8, USADA8, USAT, USAT16, USUB16, USUB8, USUBADDX, UXTAB16, UXTB16, QADD, QDADD, QDSUB, QSUB, and the Q and GE[3:0] bits in the PSRs. Does nut support branch table and Thumb2 instructions. ===c2,c4=== '''Value:''' 0x00001141 '''Interpretation:''' Supports SMC, writeback instructions, shift of loads and stores by 0-3 bits to the left, constant shift options, register controlled shift options, LDRBT, LDRT, STRBT and STRT. No barrier instructions support. ===c2,c5=== '''Value:''' 0x00000000 '''Interpretation:''' No additional implementation defined instruction set extensions ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 16dc51b38bbc7323b58ed43b6a80ecf46ae1cf9c 6 6420 21911 2022-01-05T00:31:56Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6421 21912 2022-01-05T00:32:22Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 6422 21913 2022-01-05T00:50:23Z User890104 124 Create Nano 7G page from iFIxit teardown wikitext text/x-wiki [[Image:Nano7g_front.jpg|500px]] [[Image:Nano7g_back.jpg|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff9024">Red</span> | CPU | Probably Samsung S5L87xx? | Apple 338S1099 | |- | <span style="color:#ff9024">Orange</span> | Bluetooth + FM radio | Broadcom BCM2078KUBG | | |- | <span style="color:#f3e00e">Yellow</span> | | NXP Semiconductors 1609A1 | | |- | <span style="color:#16dc81">Green</span> | | | 75203 23017 | |- | <span style="color:#2343e8">Blue</span> | | | 75292 98820 | |} {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff9024">Red</span> | NAND flash | Toshiba THGBX2G7D2JLA01 128 Gb (16 GB) | | |- | <span style="color:#ff9024">Orange</span> | Touchscreen controller | Texas Instruments 343S0538 | | |- | <span style="color:#f3e00e">Yellow</span> | | | Apple 338S1146 | |- | <span style="color:#16dc81">Green</span> | | | 339S0193 | |} ==Notes== The "Nano" 7G is something that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. ==Helpful pages== Teardowns: * https://www.ifixit.com/Teardown/iPod+Nano+7th+Generation+Teardown/10826 <!-- Reviews: * TODO --> 54c371653deb00cb0118f2731d3b5ab88a7174f5 21919 21913 2022-08-14T00:01:50Z Q3k 6232 I don't think that's the CPU, also fix red color. wikitext text/x-wiki [[Image:Nano7g_front.jpg|500px]] [[Image:Nano7g_back.jpg|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0004">Red</span> | | | Apple 338S1099 | |- | <span style="color:#ff9024">Orange</span> | Bluetooth + FM radio | Broadcom BCM2078KUBG | | |- | <span style="color:#f3e00e">Yellow</span> | | NXP Semiconductors 1609A1 | | |- | <span style="color:#16dc81">Green</span> | | | 75203 23017 | |- | <span style="color:#2343e8">Blue</span> | | | 75292 98820 | |} {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0000">Red</span> | NAND flash | Toshiba THGBX2G7D2JLA01 128 Gb (16 GB) | | |- | <span style="color:#ff9024">Orange</span> | Touchscreen controller | Texas Instruments 343S0538 | | |- | <span style="color:#f3e00e">Yellow</span> | | | Apple 338S1146 | |- | <span style="color:#16dc81">Green</span> | | | 339S0193 | |} ==Notes== The "Nano" 7G is something that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. ==Helpful pages== Teardowns: * https://www.ifixit.com/Teardown/iPod+Nano+7th+Generation+Teardown/10826 <!-- Reviews: * TODO --> f40d5ef88e41d41f427979535f042e6e81e00c02 21920 21919 2022-08-14T00:08:53Z Q3k 6232 Guessing this is the CPU. wikitext text/x-wiki [[Image:Nano7g_front.jpg|500px]] [[Image:Nano7g_back.jpg|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0004">Red</span> | | | Apple 338S1099 | |- | <span style="color:#ff9024">Orange</span> | Bluetooth + FM radio | Broadcom BCM2078KUBG | | |- | <span style="color:#f3e00e">Yellow</span> | | NXP Semiconductors 1609A1 | | |- | <span style="color:#16dc81">Green</span> | | | 75203 23017 | |- | <span style="color:#2343e8">Blue</span> | | | 75292 98820 | |} {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0000">Red</span> | NAND flash | Toshiba THGBX2G7D2JLA01 128 Gb (16 GB) | | |- | <span style="color:#ff9024">Orange</span> | Touchscreen controller | Texas Instruments 343S0538 | | |- | <span style="color:#f3e00e">Yellow</span> | | | Apple 338S1146 | |- | <span style="color:#16dc81">Green</span> | SoC/CPU? | S5L8740 (per IMG1) | 339S0193 | |} ==Notes== The "Nano" 7G is something that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. ==Helpful pages== Teardowns: * https://www.ifixit.com/Teardown/iPod+Nano+7th+Generation+Teardown/10826 <!-- Reviews: * TODO --> 831e03295382eee68c17691c9a92f11b656b914a 21921 21920 2022-08-14T00:12:35Z Q3k 6232 /* Components */ wikitext text/x-wiki [[Image:Nano7g_front.jpg|500px]] [[Image:Nano7g_back.jpg|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0004">Red</span> | PMIC | | Apple 338S1099 | Guessing based on connectivity to power components around. |- | <span style="color:#ff9024">Orange</span> | Bluetooth + FM radio | Broadcom BCM2078KUBG | | |- | <span style="color:#f3e00e">Yellow</span> | | NXP Semiconductors 1609A1 | | |- | <span style="color:#16dc81">Green</span> | | | 75203 23017 | |- | <span style="color:#2343e8">Blue</span> | | | 75292 98820 | |} {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0000">Red</span> | NAND flash | Toshiba THGBX2G7D2JLA01 128 Gb (16 GB) | | |- | <span style="color:#ff9024">Orange</span> | Touchscreen controller | Texas Instruments 343S0538 | | |- | <span style="color:#f3e00e">Yellow</span> | | | Apple 338S1146 | |- | <span style="color:#16dc81">Green</span> | SoC/CPU | S5L8740 | 339S0193 | 8740 per IMG1. Guessing based on similar package to N6G SoC/CPU. |} ==Notes== The "Nano" 7G is something that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. ==Helpful pages== Teardowns: * https://www.ifixit.com/Teardown/iPod+Nano+7th+Generation+Teardown/10826 <!-- Reviews: * TODO --> f9676d6c776e0f6b74eaf28205d98bb92ca43fad 21922 21921 2022-08-14T00:26:55Z Q3k 6232 /* Components */ wikitext text/x-wiki [[Image:Nano7g_front.jpg|500px]] [[Image:Nano7g_back.jpg|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0004">Red</span> | PMIC | | Apple 338S1099 | Guessing based on connectivity to power components around. |- | <span style="color:#ff9024">Orange</span> | Bluetooth + FM radio | Broadcom BCM2078KUBG | | |- | <span style="color:#f3e00e">Yellow</span> | | NXP Semiconductors 1609A1 | | |- | <span style="color:#16dc81">Green</span> | | | 75203 23017 | |- | <span style="color:#2343e8">Blue</span> | | | 75292 98820 | |} {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0000">Red</span> | NAND flash | Toshiba THGBX2G7D2JLA01 128 Gb (16 GB) | | |- | <span style="color:#ff9024">Orange</span> | Touchscreen controller | Texas Instruments 343S0538 | | |- | <span style="color:#f3e00e">Yellow</span> | | | Apple 338S1146 | |- | <span style="color:#16dc81">Green</span> | SoC/CPU | S5L8740 | 339S0193 | 8740 per IMG1. Guessing based on similar package to N6G SoC/CPU. Also has the most diffpairs running to/from it (from delayered PCB). |} ==Notes== The "Nano" 7G is something that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all. ==Helpful pages== Teardowns: * https://www.ifixit.com/Teardown/iPod+Nano+7th+Generation+Teardown/10826 <!-- Reviews: * TODO --> ac291844675474c567a219b299f382e8961ea4e1 0 53 21923 3334 2022-10-10T22:05:50Z Q3k 6232 wikitext text/x-wiki The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet. ==From the iPod== Getting a firmware dump of a nano 2g is very easy in Linux. Just: # Make sure the iPod is plugged in. # Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration. # A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time. To dump the firmware of any iPod classic or iPod nano from version 3 on you need to run own code on the device to be able to dump the flash with the firmware code on it. ==From the internet== You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents: ===1G-3G Nano firmware structure=== {| class="wikitable" ! Filename !! Description |- | Firmware-XX.X.X.X || The actual firmware file |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |} ===4G Nano firmware structure=== The 4G Nanos seem to have a different structure with an interesting new file: {| class="wikitable" ! Filename !! Description |- | Firmware.MSE || The actual firmware file containing encrypted osos, etc. |- | manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes. |- | N58s.bootloader.release.rb3 || [[IMG1]] containing encrypted bootloader. |} You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware http://www.trejan.com/projects/ipod/phobos.html#REGFIRMWARE 892ce0fa90adf0c21913bcafb63a2ab0908cfc98 6 6423 21924 2022-10-13T14:02:09Z Q3k 6232 wikitext text/x-wiki Pinout of SPI NOR connections on back of N3G board. 95e6160a5a1be2fc64bb0e1e0f9b7acafeb4f4e9 6 6424 21925 2022-10-13T14:03:31Z Q3k 6232 wikitext text/x-wiki Zoom in of SPI NOR test pads on back of Nano 3G board. 0da3203a93be2a7b9c95ab9de8c0635bf42b9949 0 242 21926 3277 2022-10-13T14:04:19Z Q3k 6232 wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8702 | 337S3473 8702, NONBWOEC, 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | 3 | SDRAM | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 | 0728, C, HYE18M256, 169CX75, W3338092 | SDRAM - Mobile DDR, 256Mb, 1.8V. WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | V80B, 729379 | Flash - NOR, 8Mb, Serial SPI |- | 6 | NAND Flash | Varies | Samsung 728, K9HCG08U5M, PCB0, FCF285X1 | |- | 1 | Audio codec | WM1870 | APPLE, 338S0462, 76BZKTM | |- | 4 | Power manager | D1671B | 338S0408, 07258HAH | |} == SPI NOR Test Pads == Test pads are available on the back of the board to access SCK, MISO and CS between the SoC and the NOR utility flash. MOSI is also present, but is buried in an internal layer (second from back) which can be accessed by carefully scraping off the top FR4 using a sharp tool, or by using a tiny carbide bit on a milling machine. [[Image:N3g-spi-nor.png|500px]] [[Image:N3g-spi-nor-zoom.png|500px]] ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] 520b752fa62b0533011014d5e5871de2192198cd 0 244 21927 3970 2022-10-14T17:59:22Z Q3k 6232 wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. ARM1176 core. |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | [http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/DATASHEET/CD00213611.pdf LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 1f7c4e9ec19dd037c592ad8bb7454c53687a2480 21928 21927 2022-10-14T18:40:03Z Q3k 6232 wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. ARM1176JZF-S core (per CP15 data). |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | [http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/DATASHEET/CD00213611.pdf LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} == CP15 Registers == Dump of CP15 registers from bootrom context: {| class="wikitable" ! cX !! cY !! opc2 !! Description !! Value !! Interpretation |- | 0 | 0 | 0 | Main ID | 410fb764 | ARM (0x41), Variant 0, Architecture: see CPUID, Part: ARM1176 |- | 0 | 0 | 1 | Cache Type | 1d152152 | Write back, format C cache lockdown, Register 7 cache cleaning operations, separate I/D caches; data cache: (no restriction on page allocation, 16KB, 4-way associative, 2 word line length) istrunction cache: (no restrictions on page allocation, 16KB, 4-way, 2 word) |- | 0 | 0 | 2 | TCM Status | 00000000 | No tightly coupled memory. |- | 0 | 0 | 3 | TLB Type | 00000800 | |- | 0 | 1 | 0 | Processor Feature 0 | 00000111 | Jazelle, Thumb1, ARM (no Thumb2) |- | 0 | 1 | 1 | Processor Feature 1 | 00000011 | Security Extensions Architecture v1, Standard ARMv4 programmer's model. No microcontroller model. |- | 0 | 1 | 2 | Debug Feature 0 | 00000033 | v6.1 Secure Debug, v6.1 Debug. |- | 0 | 1 | 3 | Auxiliary Feature 0 | 00000000 | |- | 0 | 1 | 4 | Memory Model Feature 0 | 01130003 | Standard ARM1176JZF-S. |- | 0 | 1 | 5 | Memory Model Feature 1 | 10030302 | Standard ARM1176JZF-S. |- | 0 | 1 | 6 | Memory Model Feature 2 | 01222100 | Standard ARM1176JZF-S. |- | 0 | 1 | 7 | Memory Model Feature 3 | 00000000 | Standard ARM1176JZF-S. |- | 0 | 2 | 0 | Instruction Set Feature Attribute 0 | 00140011 | Standard ARM1176JZF-S. |- | 0 | 2 | 1 | Instruction Set Feature Attribute 1 | 12002111 | Standard ARM1176JZF-S. |- | 0 | 2 | 2 | Instruction Set Feature Attribute 2 | 11231121 | Standard ARM1176JZF-S. |- | 0 | 2 | 3 | Instruction Set Feature Attribute 3 | 01102131 | Standard ARM1176JZF-S. |- | 0 | 2 | 4 | Instruction Set Feature Attribute 4 | 00001141 | Standard ARM1176JZF-S. |- | 0 | 2 | 5 | Instruction Set Feature Attribute 5 | 00000000 | Standard ARM1176JZF-S. |- | 1 | 0 | 0 | Control | 00450078 | No Force AP, no TEX remap, CPSR E set to 0 on exception, no VIC, no extended page tables, allow unaligned data access, no fast interrupts, global enable for instruction/data TCM, loads to PC set the T bit, random cache replacement, exceptions vectors at Vector Base Address Register. I$, D$ disabled by wInd3x, branch prediction disabled, no strict alignment fault checking, no MMU. |- | 1 | 0 | 1 | Auxiliary Control | 00000007 | ... |- | 1 | 0 | 2 | Coprocessor Access Control | 00000000 | ... |- | 1 | 1 | 0 | Secure Configuration | 00000000 | ... |- | 1 | 1 | 1 | Secure Debug Enable | 00000000 | ... |- | 1 | 1 | 2 | Non-Secure Access Control | 00000000 | ... |- | 2 | 0 | 0 | Translation Table Base 0 | 00000000 | ... |- | 2 | 0 | 1 | Translation Table Base 1 | 00000000 | ... |- | 2 | 0 | 2 | Translation Table Base Control | 00000000 | ... |- | 3 | 0 | 0 | Domain Access Control | 00000000 | ... |- | 7 | 4 | 0 | PCA | 00000000 | ... |- | 7 | 10 | 6 | Cache Dirty Status | 00000000 | ... |- | 9 | 0 | 0 | Data Cache Lockdown | fffffff0 | ... |- | 9 | 0 | 1 | Instruction Cache Lockdown | fffffff0 | ... |- | 9 | 1 | 0 | Data TCM Region | 00000000 | ... |- | 9 | 1 | 1 | Instruction TCM Region | 00000000 | ... |- | 9 | 1 | 2 | Data TCM Non-secure Control Access | 00000000 | ... |- | 9 | 1 | 3 | Instruction TCM Non-secure Control Access | 00000000 | ... |- | 9 | 2 | 0 | TCM Selection | 00000000 | ... |- | 9 | 8 | 0 | Cache Behavior Override | 00000000 | ... |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 8553b8e2b31d7891ade89e8de3a7f9738b1e71c0 0 6425 21929 2022-10-15T20:49:31Z Q3k 6232 Created page with "[[OSOS]] has some 'secret' options that you can enable by placing files into iPod_Control/Device. The following table shows all known options, with information on what device..." wikitext text/x-wiki [[OSOS]] has some 'secret' options that you can enable by placing files into iPod_Control/Device. The following table shows all known options, with information on what device are they supported. Some of these appear to have no cross-references in q3k's decompilation, but that might be a tooling issue. Ideally, we should test every single one of these :). {| class="wikitable" |- ! File !! Functionality !! Nano 5G |- | '''_enable_options''' || '''This file must be present for any other option to work.''' || ✔️ |- | _show_numeric_volume || Displays numeric value when changing volume. || ✔️ |- | _disable_cache || || ✔️ (Unused?) |- | _go_fast || || ✔️ (Unused?) |- | _show_voltage || Displays battery voltage at bottom of screen. || ✔️ |- | _show_speed || || ✔️ |- | _show_memory || Displays heap statistics at bottom of screen. || ✔️ |- | _show_fps || || ✔️ |- | _disable_mbx_timeout || Mailbox timeouts? Untested. || ✔️ |- | _tvoutwidescreen || || ✔️ |- | _enable_logging || Writes high-level logs into iPod_Control/Logs. || ✔️ |- | _enable_crash_logging || || ✔️ (Unused?) |- | _enable_memory_logging || || ✔️ (Unused?) |- | _disable_jpeg_decoder || || ✔️ (Unused?) |- | _disable_sleep || || ✔️ |- | _hibe_sleep || || ✔️ |- | _disable_hibe || || ✔️ |- | _hibe_beep || || ✔️ |- | _short_deepsleep || || ✔️ |- | _no_deepsleep || Preempted by _short_deepsleep. || ✔️ |- | _dont_reject_vid || || ✔️ |- | _tcsize || File contents read (number likely expected). || ✔️ |- | _speed || File contents read (number likely expected). Default -1. || ✔️ (Unused?) |- | _no_vc0_autopower || || ✔️ (Unused?) |- | _autopow_overlay || || ✔️ (Unused?) |- | _dartboard || Weird mode in which menu/play are swapped and iTunes database seems to be ignored. || ✔️ |- | _show_brightness || || ✔️ (Unused?) |- | _car_adapter || || ✔️ |- | _usb_swap_configs || || ✔️ |- | _usb_audio_sinewave || || ✔️ |- | _usb_audio_authentication_optional || || ✔️ (Unused?) |- | _usb_audio_negotiation_optional || || ✔️ (Unused?) |- | _usb_audio_test_mode || || ✔️ (Unused?) |- | _usb_audio_lame_resampling || || ✔️ (Unused?) |- | _usb_audio_samplerate_match_style || || ✔️ (Unused?) |- | _usb_audio_resampling_method || || ✔️ (Unused?) |- | _usb_audio_show_status || || ✔️ |- | _serial_acc_iap_status || || ✔️ (Unused?) |- | _battery_always_low || || ✔️ |- | _show_cache_size || || ✔️ |- | _disable_unsplit_decoders || || ✔️ (Unused?) |- | _heap_beep || || ✔️ (Unused?) |- | _show_autobaud || || ✔️ |- | _ignore_volume_pref || || ✔️ |- | _no_volume_control || || ✔️ |- | _record_max_16mb || || ✔️ |- | _vp_lang || || ✔️ (Unused?) |- | _mockup_mode || || ✔️ (Unused?) |- | _tvout_video_display || || ✔️ (Unused?) |- | _deblocking_off || || ✔️ (Unused?) |- | _force_AACHE || || ✔️ (Unused?) |- | _force_AACLC || || ✔️ (Unused?) |- | _reset_rtc || || ✔️ (Unused?) |- | _no_volume_control || || ✔️ |- | _honor_repeat || || ✔️ |- | _rental_notify_always || || ✔️ |- | _uart30pin_debug || || ✔️ |- | _uart2_debug || Preempted by _uart30pin_debug. || ✔️ |- | _mie_on || || ✔️ (Unused?) |- | _dragster_on || || ✔️ (Unused?) |- | _try_spirit_codecs || || ✔️ |- | _amc_r2d || || ✔️ |- | _crossfade_on || || ✔️ (Unused?) |- | _mecca_trace_debug || || ✔️ (Unused?) |- | _use_aac_encoder || || ✔️ |- | _wheel_raw_data || || ✔️ (Unused?) |- | _wheel_app_data || || ✔️ |- | _accel_data || || ✔️ |- | _orient_me_not || || ✔️ |- | _shake_data || || ✔️ (Unused?) |- | _hold3beep || Enables debug logging to JTAG semihosting in C_exception_handler. || ✔️ |- | _skipgamedrm || Seemingly allows Manifest.plist.p7b to not be present when reading eApps/games. If present, will still be checked. || ✔️ |- | _firewire_supported || || ✔️ |- | _debug_db || || ✔️ (Unused?) |- | _EQBiasScale || Contents read. || ✔️ (Unused?) |- | _RecorderGainDB || Contents read. || ✔️ (Unused?) |- | _SpeakerEQ_HPF_Fc || Contents read. || ✔️ (Unused?) |- | _SpeakerEQPreset || Contents read. || ✔️ (Unused?) |- | _RecorderGainLimit || Contents read. || ✔️ (Unused?) |- | _6bits_accel || || ✔️ (Unused?) |- | _disable_bpfix || || ✔️ (Unused?) |- | _tuner_readings_show || || ✔️ |- | _tuner_metadata_events_show || || ✔️ |- | _tuner_buffer_time_show || || ✔️ |- | _tuner_readings_logging || || ✔️ |- | _tuner_metadata_raw_logging || || ✔️ |- | _tuner_metadata_parsed_logging || || ✔️ |- | _tuner_scan_logging || || ✔️ |- | _tuner_auto_scan || || ✔️ |- | _tuner_softmute_disable || || ✔️ |- | _tuner_hicut_disable || || ✔️ |- | _hifi_video_encoding || || ✔️ |- | _no_look_ahead_video_encoding || || ✔️ |- | _look_ahead_video_encoding || || ✔️ |- | _bvtpowertest || || ✔️ |- | _disable_clock_gating || || ✔️ |- | _writerawyuvstills || || ✔️ |- | _ped_time_10x || || ✔️ |- | _power_testing || || ✔️ |- | _ped_xyz_logging || || ✔️ |- | _ped_heartbeat || || ✔️ |- | _ped_time_100x || || ✔️ |- | _ped_time_1000x || || ✔️ |- | _log_sys_model || || ✔️ (Unused?) |- | _fm_fieldtesting || || ✔️ |- | _nand_high_clock || || ✔️ (Unused?) |- | _disable_overlay_limit || || ✔️ (Unused?) |- | _show_max_battery || || ✔️ |- | _show_fixed_time || || ✔️ |- | _photo_albums_test || || ✔️ |- | _show_pll || || ✔️ |- | _hang_frame_drop || || ✔️ |- | _disable_overlay_limit || _enable_options not required. || ✔️ (Unused?) |- | _quick_3bits || _enable_options not required. || ✔️ (Unused?) |} d4d2b3fcb29c09810bb178940af33195250eb6e2 0 56 21930 3279 2022-10-15T21:08:28Z Q3k 6232 wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== [[OSOS]] is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the Nano 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image ** ''chrg'' - Same as lbat but showing that the iPod is charging ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 24c1b29142a9b26c40075708ddcd68835eef169d 0 6426 21931 2022-10-15T21:10:01Z Q3k 6232 Created page with "The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == There doesn't seem to be a well-kn..." wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == There doesn't seem to be a well-known public name for the iPod operating system. The earlier stages of the boot chain call it ''osos'', but that might just be ''os'' repeated twice to fill the 4 characters required for payload names. The iPodLinux folks call it RetailOS. == Architecture == OSOS is a small, embedded, single-user, single-binary, purpose-built RTOS. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. A part of the operating system (likely the user-facing part) was developed by a company called Pixo <ref>https://www.sfgate.com/business/article/Little-known-startup-was-behind-iPod-s-2733248.php</ref>, and traces of this pedigree can still be found in the OSOS binary (for example in strings ''Non Pixo Task %d'', ''navigator.PopToPixoMainScreen''). It's not exactly clear how much of the underlying RTOS functionality is based on the Pixo product vs. built from scratch by Apple. == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer OSOS bugs trivial. == Boot chain == OSOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, OSOS is a single binary blob without any built-in modularity. a3af42e24a8754dfde5d148f6e252db79573180f 0 6426 21932 21931 2022-10-15T21:16:24Z Q3k 6232 wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == There doesn't seem to be a well-known public name for the iPod operating system. The earlier stages of the boot chain call it ''osos'', but that might just be ''os'' repeated twice to fill the 4 characters required for payload names. The iPodLinux folks call it RetailOS. == Architecture == OSOS is a small, embedded, single-user, single-binary, purpose-built RTOS. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. A part of the operating system (likely the user-facing part) was developed by a company called Pixo <ref>https://www.sfgate.com/business/article/Little-known-startup-was-behind-iPod-s-2733248.php</ref>, and traces of this pedigree can still be found in the OSOS binary (for example in strings ''Non Pixo Task %d'', ''navigator.PopToPixoMainScreen''). It's not exactly clear how much of the underlying RTOS functionality is based on the Pixo product vs. built from scratch by Apple. == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer OSOS bugs trivial. === Boot chain === OSOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, OSOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[OSOS_Options|Options]]. 56bb1f12fee9dd2456f79cac2f0f0a663acae585 21940 21932 2022-11-01T01:20:57Z Q3k 6232 wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == There doesn't seem to be a well-known public name for the iPod operating system. The earlier stages of the boot chain call it ''osos'', but that might just be ''os'' repeated twice to fill the 4 characters required for payload names. The iPodLinux folks call it RetailOS. == Architecture == OSOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer OSOS bugs trivial. === Boot chain === OSOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, OSOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[OSOS_Options|Options]]. ae1f144d82f27bd008d8631fe69d68cd829ada63 21942 21940 2023-01-02T20:41:34Z Q3k 6232 wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == There doesn't seem to be a well-known public name for the iPod operating system. The earlier stages of the boot chain call it ''osos'', but that might just be ''os'' repeated twice to fill the 4 characters required for payload names. The iPodLinux folks call it RetailOS. == Architecture == OSOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer OSOS bugs trivial. === Boot chain === OSOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, OSOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[OSOS_Options|Options]]. == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] f633cf1ccbd08ed8e489bf345e559f8c46da8245 0 6425 21933 21929 2022-10-16T18:48:29Z Q3k 6232 wikitext text/x-wiki [[OSOS]] has some 'secret' options that you can enable by placing files into iPod_Control/Device. The following table shows all known options, with information on what device are they supported. Some of these appear to have no cross-references in q3k's decompilation, but that might be a tooling issue. Ideally, we should test every single one of these :). {| class="wikitable" |- ! File !! Functionality !! Nano 5G |- | '''_enable_options''' || '''This file must be present for any other option to work.''' || ✔️ |- | _show_numeric_volume || Displays numeric value when changing volume. || ✔️ |- | _disable_cache || || ✔️ (Unused?) |- | _go_fast || || ✔️ (Unused?) |- | _show_voltage || Displays battery voltage at bottom of screen. || ✔️ |- | _show_speed || || ✔️ |- | _show_memory || Displays heap statistics at bottom of screen. || ✔️ |- | _show_fps || || ✔️ |- | _disable_mbx_timeout || Mailbox timeouts? Untested. || ✔️ |- | _tvoutwidescreen || || ✔️ |- | _enable_logging || Writes high-level logs into iPod_Control/Logs. || ✔️ |- | _enable_crash_logging || || ✔️ (Unused?) |- | _enable_memory_logging || || ✔️ (Unused?) |- | _disable_jpeg_decoder || || ✔️ (Unused?) |- | _disable_sleep || || ✔️ |- | _hibe_sleep || || ✔️ |- | _disable_hibe || || ✔️ |- | _hibe_beep || || ✔️ |- | _short_deepsleep || || ✔️ |- | _no_deepsleep || Preempted by _short_deepsleep. || ✔️ |- | _dont_reject_vid || || ✔️ |- | _tcsize || File contents read (number likely expected). || ✔️ |- | _speed || File contents read (number likely expected). Default -1. || ✔️ (Unused?) |- | _no_vc0_autopower || || ✔️ (Unused?) |- | _autopow_overlay || || ✔️ (Unused?) |- | _dartboard || Weird mode in which menu/play are swapped and iTunes database seems to be ignored. || ✔️ |- | _show_brightness || || ✔️ (Unused?) |- | _car_adapter || || ✔️ |- | _usb_swap_configs || || ✔️ |- | _usb_audio_sinewave || || ✔️ |- | _usb_audio_authentication_optional || || ✔️ (Unused?) |- | _usb_audio_negotiation_optional || || ✔️ (Unused?) |- | _usb_audio_test_mode || || ✔️ (Unused?) |- | _usb_audio_lame_resampling || || ✔️ (Unused?) |- | _usb_audio_samplerate_match_style || || ✔️ (Unused?) |- | _usb_audio_resampling_method || || ✔️ (Unused?) |- | _usb_audio_show_status || || ✔️ |- | _serial_acc_iap_status || || ✔️ (Unused?) |- | _battery_always_low || || ✔️ |- | _show_cache_size || || ✔️ |- | _disable_unsplit_decoders || || ✔️ (Unused?) |- | _heap_beep || || ✔️ (Unused?) |- | _show_autobaud || || ✔️ |- | _ignore_volume_pref || || ✔️ |- | _no_volume_control || || ✔️ |- | _record_max_16mb || || ✔️ |- | _vp_lang || || ✔️ (Unused?) |- | _mockup_mode || || ✔️ (Unused?) |- | _tvout_video_display || || ✔️ (Unused?) |- | _deblocking_off || || ✔️ (Unused?) |- | _force_AACHE || || ✔️ (Unused?) |- | _force_AACLC || || ✔️ (Unused?) |- | _reset_rtc || || ✔️ (Unused?) |- | _no_volume_control || || ✔️ |- | _honor_repeat || || ✔️ |- | _rental_notify_always || || ✔️ |- | _uart30pin_debug || || ✔️ |- | _uart2_debug || Preempted by _uart30pin_debug. || ✔️ |- | _mie_on || || ✔️ (Unused?) |- | _dragster_on || || ✔️ (Unused?) |- | _try_spirit_codecs || || ✔️ |- | _amc_r2d || || ✔️ |- | _crossfade_on || || ✔️ (Unused?) |- | _mecca_trace_debug || || ✔️ (Unused?) |- | _use_aac_encoder || || ✔️ |- | _wheel_raw_data || || ✔️ (Unused?) |- | _wheel_app_data || || ✔️ |- | _accel_data || || ✔️ |- | _orient_me_not || || ✔️ |- | _shake_data || || ✔️ (Unused?) |- | _hold3beep || Halt and wait for JTAG in C_exception_handler. Probably. || ✔️ |- | _skipgamedrm || Seemingly allows Manifest.plist.p7b to not be present when reading eApps/games. If present, will still be checked. || ✔️ |- | _firewire_supported || || ✔️ |- | _debug_db || || ✔️ (Unused?) |- | _EQBiasScale || Contents read. || ✔️ (Unused?) |- | _RecorderGainDB || Contents read. || ✔️ (Unused?) |- | _SpeakerEQ_HPF_Fc || Contents read. || ✔️ (Unused?) |- | _SpeakerEQPreset || Contents read. || ✔️ (Unused?) |- | _RecorderGainLimit || Contents read. || ✔️ (Unused?) |- | _6bits_accel || || ✔️ (Unused?) |- | _disable_bpfix || || ✔️ (Unused?) |- | _tuner_readings_show || || ✔️ |- | _tuner_metadata_events_show || || ✔️ |- | _tuner_buffer_time_show || || ✔️ |- | _tuner_readings_logging || || ✔️ |- | _tuner_metadata_raw_logging || || ✔️ |- | _tuner_metadata_parsed_logging || || ✔️ |- | _tuner_scan_logging || || ✔️ |- | _tuner_auto_scan || || ✔️ |- | _tuner_softmute_disable || || ✔️ |- | _tuner_hicut_disable || || ✔️ |- | _hifi_video_encoding || || ✔️ |- | _no_look_ahead_video_encoding || || ✔️ |- | _look_ahead_video_encoding || || ✔️ |- | _bvtpowertest || || ✔️ |- | _disable_clock_gating || || ✔️ |- | _writerawyuvstills || || ✔️ |- | _ped_time_10x || || ✔️ |- | _power_testing || || ✔️ |- | _ped_xyz_logging || || ✔️ |- | _ped_heartbeat || || ✔️ |- | _ped_time_100x || || ✔️ |- | _ped_time_1000x || || ✔️ |- | _log_sys_model || || ✔️ (Unused?) |- | _fm_fieldtesting || || ✔️ |- | _nand_high_clock || || ✔️ (Unused?) |- | _disable_overlay_limit || || ✔️ (Unused?) |- | _show_max_battery || || ✔️ |- | _show_fixed_time || || ✔️ |- | _photo_albums_test || || ✔️ |- | _show_pll || || ✔️ |- | _hang_frame_drop || || ✔️ |- | _disable_overlay_limit || _enable_options not required. || ✔️ (Unused?) |- | _quick_3bits || _enable_options not required. || ✔️ (Unused?) |} a93f8d155cb3355571a316cf61322b5137eac5a9 21934 21933 2022-10-16T19:07:20Z Q3k 6232 wikitext text/x-wiki [[OSOS]] has some 'secret' options that you can enable by placing files into iPod_Control/Device. The following table shows all known options, with information on what device are they supported. Some of these appear to have no cross-references in q3k's decompilation, but that might be a tooling issue. Ideally, we should test every single one of these :). {| class="wikitable" |- ! File !! Functionality !! Nano 5G |- | '''_enable_options''' || '''This file must be present for any other option to work.''' || ✔️ |- | _show_numeric_volume || Displays numeric value when changing volume. || ✔️ |- | _disable_cache || || ✔️ (Unused?) |- | _go_fast || || ✔️ (Unused?) |- | _show_voltage || Displays battery voltage at bottom of screen. || ✔️ |- | _show_speed || || ✔️ |- | _show_memory || Displays heap statistics at bottom of screen. || ✔️ |- | _show_fps || || ✔️ |- | _disable_mbx_timeout || Mailbox timeouts? PowerVR MBX timeouts? Untested. || ✔️ |- | _tvoutwidescreen || || ✔️ |- | _enable_logging || Writes high-level logs into iPod_Control/Logs. || ✔️ |- | _enable_crash_logging || || ✔️ (Unused?) |- | _enable_memory_logging || || ✔️ (Unused?) |- | _disable_jpeg_decoder || || ✔️ (Unused?) |- | _disable_sleep || || ✔️ |- | _hibe_sleep || || ✔️ |- | _disable_hibe || || ✔️ |- | _hibe_beep || || ✔️ |- | _short_deepsleep || || ✔️ |- | _no_deepsleep || Preempted by _short_deepsleep. || ✔️ |- | _dont_reject_vid || || ✔️ |- | _tcsize || File contents read (number likely expected). || ✔️ |- | _speed || File contents read (number likely expected). Default -1. || ✔️ (Unused?) |- | _no_vc0_autopower || || ✔️ (Unused?) |- | _autopow_overlay || || ✔️ (Unused?) |- | _dartboard || Weird mode in which menu/play are swapped and iTunes database seems to be ignored. || ✔️ |- | _show_brightness || || ✔️ (Unused?) |- | _car_adapter || || ✔️ |- | _usb_swap_configs || || ✔️ |- | _usb_audio_sinewave || || ✔️ |- | _usb_audio_authentication_optional || || ✔️ (Unused?) |- | _usb_audio_negotiation_optional || || ✔️ (Unused?) |- | _usb_audio_test_mode || || ✔️ (Unused?) |- | _usb_audio_lame_resampling || || ✔️ (Unused?) |- | _usb_audio_samplerate_match_style || || ✔️ (Unused?) |- | _usb_audio_resampling_method || || ✔️ (Unused?) |- | _usb_audio_show_status || || ✔️ |- | _serial_acc_iap_status || || ✔️ (Unused?) |- | _battery_always_low || || ✔️ |- | _show_cache_size || || ✔️ |- | _disable_unsplit_decoders || || ✔️ (Unused?) |- | _heap_beep || || ✔️ (Unused?) |- | _show_autobaud || || ✔️ |- | _ignore_volume_pref || || ✔️ |- | _no_volume_control || || ✔️ |- | _record_max_16mb || || ✔️ |- | _vp_lang || || ✔️ (Unused?) |- | _mockup_mode || || ✔️ (Unused?) |- | _tvout_video_display || || ✔️ (Unused?) |- | _deblocking_off || || ✔️ (Unused?) |- | _force_AACHE || || ✔️ (Unused?) |- | _force_AACLC || || ✔️ (Unused?) |- | _reset_rtc || || ✔️ (Unused?) |- | _no_volume_control || || ✔️ |- | _honor_repeat || || ✔️ |- | _rental_notify_always || || ✔️ |- | _uart30pin_debug || || ✔️ |- | _uart2_debug || Preempted by _uart30pin_debug. || ✔️ |- | _mie_on || || ✔️ (Unused?) |- | _dragster_on || || ✔️ (Unused?) |- | _try_spirit_codecs || || ✔️ |- | _amc_r2d || || ✔️ |- | _crossfade_on || || ✔️ (Unused?) |- | _mecca_trace_debug || || ✔️ (Unused?) |- | _use_aac_encoder || || ✔️ |- | _wheel_raw_data || || ✔️ (Unused?) |- | _wheel_app_data || || ✔️ |- | _accel_data || || ✔️ |- | _orient_me_not || || ✔️ |- | _shake_data || || ✔️ (Unused?) |- | _hold3beep || Halt and wait for JTAG in C_exception_handler. Probably. || ✔️ |- | _skipgamedrm || Seemingly allows Manifest.plist.p7b to not be present when reading eApps/games. If present, will still be checked. || ✔️ |- | _firewire_supported || || ✔️ |- | _debug_db || || ✔️ (Unused?) |- | _EQBiasScale || Contents read. || ✔️ (Unused?) |- | _RecorderGainDB || Contents read. || ✔️ (Unused?) |- | _SpeakerEQ_HPF_Fc || Contents read. || ✔️ (Unused?) |- | _SpeakerEQPreset || Contents read. || ✔️ (Unused?) |- | _RecorderGainLimit || Contents read. || ✔️ (Unused?) |- | _6bits_accel || || ✔️ (Unused?) |- | _disable_bpfix || || ✔️ (Unused?) |- | _tuner_readings_show || || ✔️ |- | _tuner_metadata_events_show || || ✔️ |- | _tuner_buffer_time_show || || ✔️ |- | _tuner_readings_logging || || ✔️ |- | _tuner_metadata_raw_logging || || ✔️ |- | _tuner_metadata_parsed_logging || || ✔️ |- | _tuner_scan_logging || || ✔️ |- | _tuner_auto_scan || || ✔️ |- | _tuner_softmute_disable || || ✔️ |- | _tuner_hicut_disable || || ✔️ |- | _hifi_video_encoding || || ✔️ |- | _no_look_ahead_video_encoding || || ✔️ |- | _look_ahead_video_encoding || || ✔️ |- | _bvtpowertest || || ✔️ |- | _disable_clock_gating || || ✔️ |- | _writerawyuvstills || || ✔️ |- | _ped_time_10x || || ✔️ |- | _power_testing || || ✔️ |- | _ped_xyz_logging || || ✔️ |- | _ped_heartbeat || || ✔️ |- | _ped_time_100x || || ✔️ |- | _ped_time_1000x || || ✔️ |- | _log_sys_model || || ✔️ (Unused?) |- | _fm_fieldtesting || || ✔️ |- | _nand_high_clock || || ✔️ (Unused?) |- | _disable_overlay_limit || || ✔️ (Unused?) |- | _show_max_battery || || ✔️ |- | _show_fixed_time || || ✔️ |- | _photo_albums_test || || ✔️ |- | _show_pll || || ✔️ |- | _hang_frame_drop || || ✔️ |- | _disable_overlay_limit || _enable_options not required. || ✔️ (Unused?) |- | _quick_3bits || _enable_options not required. || ✔️ (Unused?) |} 9359aa3d65f17141bba62c086fee885a739dc13e 6 6427 21935 2022-10-17T18:26:54Z Q3k 6232 wikitext text/x-wiki Photo of mod required to do on Nano 5G logic board to get JTAG working. 6876e46824a43dbb65f8068c557e5c6575301af0 6 6428 21936 2022-10-17T18:42:13Z Q3k 6232 wikitext text/x-wiki An GDB log showing the weirdness of JTAG on Nanos. 8a09b3be90cc6179de42260e237997e9a1d9b077 0 6429 21937 2022-10-17T18:42:52Z Q3k 6232 Created page with "Some iPods seemingly have the ability to be debugged over JTAG. Here's some documentation on getting started. == Devices == {| class="wikitable" |- ! Device !! Protocol !! L..." wikitext text/x-wiki Some iPods seemingly have the ability to be debugged over JTAG. Here's some documentation on getting started. == Devices == {| class="wikitable" |- ! Device !! Protocol !! Location |- | Nano 2G || JTAG (memory locked out) || 30-pin connector, needs jumpers |- | Nano 5G || JTAG (memory locked out) || 30-pin connector, needs jumpers |} === Nano 2G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 17 || TMS |- | 21 || TDI |- | 22 || TDO |- | 23 || TCK |- | 24 || nTRST |} In addition, the following pads need to be bridged on the logic board: [[Image:Top_annote.jpg|500px]] === Nano 5G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 3 || RTCK (optional) |- | 5 || TDO |- | 9 || TDI |- | 14 || TCK |- | 17 || TMS |} In addition, the following 01005 footprints need to be populated with 0 ohm resistors (or bridged with a wire) on the logic board: [[Image:Nano5G JTAG.png|500px]] == 'Memory locked out' JTAG == Even though JTAG is accessible on the N2G/N5G, and the CPU core can be controlled over it, no memory is accessible anymore. In fact, it seems like the CPU core gets fully disconnected from the AHB bus any time JTAG is enabled. During the [[Nano2G_HW_analysis|Nano 2G initial reverse engineering process]] low-level access to Dcache was used to dump memory. However, no method of re-establishing full memory access has yet been found. [[Image:Nano5G Broken JTAG.png|300px]] What has been attempted so far: # Making sure the WDT isn't running. # Writing to CHIPID in an attempt to 'demote' the devices à la iOS. # Connecting while the device is in the BootROM. Other observations: # The 'memory bus disconnection' seems to happen immediately after a JTAG chain scan, so this might be implemented as extra logic somewhere in the SoC that needs some magic TDI bits to be fed so it doesn't lock out the AHB bus (or whatever it does). # This might just be a bug in openocd ARM11, or some quirk of the ARM1176 core (or SoC) in which caches break during debug access, but that seems unlikely. 769314e94c8f9f3e8610d9057834f957cc7b4bbc 21938 21937 2022-10-17T18:44:29Z Q3k 6232 wikitext text/x-wiki Some iPods seemingly have the ability to be debugged over JTAG. Here's some documentation on getting started. == Devices == {| class="wikitable" |- ! Device !! Protocol !! Location |- | Nano 2G || JTAG (memory locked out) || 30-pin connector, needs jumpers |- | Nano 5G || JTAG (memory locked out) || 30-pin connector, needs jumpers |} === Nano 2G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 17 || TMS |- | 21 || TDI |- | 22 || TDO |- | 23 || TCK |- | 24 || nTRST |} In addition, the following pads need to be bridged on the logic board: [[Image:Top_annote.jpg|500px]] === Nano 5G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 3 || RTCK (optional) |- | 5 || TDO |- | 9 || TDI |- | 14 || TCK |- | 17 || TMS |} In addition, the following 01005 footprints need to be populated with 0 ohm resistors (or bridged with a wire) on the logic board: [[Image:Nano5G JTAG.png|500px]] == 'Memory locked out' JTAG == Even though JTAG is accessible on the N2G/N5G, and the CPU core can be controlled over it, no memory is accessible anymore. In fact, it seems like the CPU core gets fully disconnected from the AHB bus any time JTAG is enabled. During the [[Nano2G_HW_analysis|Nano 2G initial reverse engineering process]] low-level access to Dcache was used to dump memory. However, no method of re-establishing full memory access has yet been found. [[Image:Nano5G Broken JTAG.png|300px]] The above listing shows OpenOCD/GDB connected to a Nano 5G a while after it has been first scanned via JTAG. It seems to be stuck in a permanent 'data abort' handler loop, with some pretty trashed register values (although some of them are still in valid range for running OSOS from 0x0800_0000). What has been attempted so far: # Making sure the WDT isn't running. # Writing to CHIPID in an attempt to 'demote' the devices à la iOS. # Connecting while the device is in the BootROM. Other observations: # The 'memory bus disconnection' seems to happen immediately after a JTAG chain scan, so this might be implemented as extra logic somewhere in the SoC that needs some magic TDI bits to be fed so it doesn't lock out the AHB bus (or whatever it does). # This might just be a bug in openocd ARM11, or some quirk of the ARM1176 core (or SoC) in which caches break during debug access, but that seems unlikely. fa0255664decaaa712ab5ea6e97a81ae3bc4219b 21939 21938 2022-10-17T18:47:16Z Q3k 6232 wikitext text/x-wiki Some iPods seemingly have the ability to be debugged over JTAG. Here's some documentation on getting started. == Devices == {| class="wikitable" |- ! Device !! Protocol !! Location |- | Nano 2G || JTAG (memory locked out) || 30-pin connector, needs jumpers |- | Nano 5G || JTAG (memory locked out) || 30-pin connector, needs jumpers |} === Nano 2G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 17 || TMS |- | 21 || TDI |- | 22 || TDO |- | 23 || TCK |- | 24 || nTRST |} In addition, the following pads need to be bridged on the logic board: [[Image:Top_annote.jpg|500px]] === Nano 5G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 3 || RTCK (optional) |- | 5 || TDO |- | 9 || TDI |- | 14 || TCK |- | 17 || TMS |} In addition, the following 01005 footprints need to be populated with 0 ohm resistors (or bridged with a wire) on the logic board: [[Image:Nano5G JTAG.png|500px]] == 'Memory locked out' JTAG == Even though JTAG is accessible on the N2G/N5G, and the CPU core can be controlled over it, no memory is accessible anymore. In fact, it seems like the CPU core gets fully disconnected from the AHB bus any time JTAG is enabled. During the [[Nano2G_HW_analysis|Nano 2G initial reverse engineering process]] low-level access to Dcache was used to dump memory. However, no method of re-establishing full memory access has yet been found. [[Image:Nano5G Broken JTAG.png|300px]] The above listing shows OpenOCD/GDB connected to a Nano 5G a while after it has been first scanned via JTAG. It seems to be stuck in a permanent 'data abort' handler loop, with some pretty trashed register values (although some of them are still in valid range for running the BootROM). What has been attempted so far: # Making sure the WDT isn't running. # Writing to CHIPID in an attempt to 'demote' the devices à la iOS. # Connecting while the device is in the BootROM. Other observations: # The 'memory bus disconnection' seems to happen immediately after a JTAG chain scan, so this might be implemented as extra logic somewhere in the SoC that needs some magic TDI bits to be fed so it doesn't lock out the AHB bus (or whatever it does). # This might just be a bug in openocd ARM11, or some quirk of the ARM1176 core (or SoC) in which caches break during debug access, but that seems unlikely. 8b0e23383dbbb4200da5c970002c6c8f8c8f591a 0 244 21941 21928 2022-11-03T23:44:56Z Q3k 6232 wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. ARM1176JZF-S core (per CP15 data). |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | [http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/DATASHEET/CD00213611.pdf LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} == CP15 Registers == Dump of CP15 registers from bootrom context: {| class="wikitable" ! cX !! cY !! opc2 !! Description !! Value !! Interpretation |- | 0 | 0 | 0 | Main ID | 410fb764 | ARM (0x41), Variant 0, Architecture: see CPUID, Part: ARM1176 |- | 0 | 0 | 1 | Cache Type | 1d152152 | Write back, format C cache lockdown, Register 7 cache cleaning operations, separate I/D caches; data cache: (no restriction on page allocation, 16KB, 4-way associative, 2 word line length) istrunction cache: (no restrictions on page allocation, 16KB, 4-way, 2 word) |- | 0 | 0 | 2 | TCM Status | 00000000 | No tightly coupled memory. |- | 0 | 0 | 3 | TLB Type | 00000800 | |- | 0 | 1 | 0 | Processor Feature 0 | 00000111 | Jazelle, Thumb1, ARM (no Thumb2) |- | 0 | 1 | 1 | Processor Feature 1 | 00000011 | Security Extensions Architecture v1, Standard ARMv4 programmer's model. No microcontroller model. |- | 0 | 1 | 2 | Debug Feature 0 | 00000033 | v6.1 Secure Debug, v6.1 Debug. |- | 0 | 1 | 3 | Auxiliary Feature 0 | 00000000 | |- | 0 | 1 | 4 | Memory Model Feature 0 | 01130003 | Standard ARM1176JZF-S. |- | 0 | 1 | 5 | Memory Model Feature 1 | 10030302 | Standard ARM1176JZF-S. |- | 0 | 1 | 6 | Memory Model Feature 2 | 01222100 | Standard ARM1176JZF-S. |- | 0 | 1 | 7 | Memory Model Feature 3 | 00000000 | Standard ARM1176JZF-S. |- | 0 | 2 | 0 | Instruction Set Feature Attribute 0 | 00140011 | Standard ARM1176JZF-S. |- | 0 | 2 | 1 | Instruction Set Feature Attribute 1 | 12002111 | Standard ARM1176JZF-S. |- | 0 | 2 | 2 | Instruction Set Feature Attribute 2 | 11231121 | Standard ARM1176JZF-S. |- | 0 | 2 | 3 | Instruction Set Feature Attribute 3 | 01102131 | Standard ARM1176JZF-S. |- | 0 | 2 | 4 | Instruction Set Feature Attribute 4 | 00001141 | Standard ARM1176JZF-S. |- | 0 | 2 | 5 | Instruction Set Feature Attribute 5 | 00000000 | Standard ARM1176JZF-S. |- | 1 | 0 | 0 | Control | 00450078 | No Force AP, no TEX remap, CPSR E set to 0 on exception, no VIC, no extended page tables, allow unaligned data access, no fast interrupts, global enable for instruction/data TCM, loads to PC set the T bit, random cache replacement, exceptions vectors at Vector Base Address Register. I$, D$ disabled by wInd3x, branch prediction disabled, no strict alignment fault checking, no MMU. |- | 1 | 0 | 1 | Auxiliary Control | 00000007 | ... |- | 1 | 0 | 2 | Coprocessor Access Control | 00000000 | ... |- | 1 | 1 | 0 | Secure Configuration | 00000000 | ... |- | 1 | 1 | 1 | Secure Debug Enable | 00000000 | ... |- | 1 | 1 | 2 | Non-Secure Access Control | 00000000 | ... |- | 2 | 0 | 0 | Translation Table Base 0 | 00000000 | ... |- | 2 | 0 | 1 | Translation Table Base 1 | 00000000 | ... |- | 2 | 0 | 2 | Translation Table Base Control | 00000000 | ... |- | 3 | 0 | 0 | Domain Access Control | 00000000 | ... |- | 7 | 4 | 0 | PCA | 00000000 | ... |- | 7 | 10 | 6 | Cache Dirty Status | 00000000 | ... |- | 9 | 0 | 0 | Data Cache Lockdown | fffffff0 | ... |- | 9 | 0 | 1 | Instruction Cache Lockdown | fffffff0 | ... |- | 9 | 1 | 0 | Data TCM Region | 00000000 | ... |- | 9 | 1 | 1 | Instruction TCM Region | 00000000 | ... |- | 9 | 1 | 2 | Data TCM Non-secure Control Access | 00000000 | ... |- | 9 | 1 | 3 | Instruction TCM Non-secure Control Access | 00000000 | ... |- | 9 | 2 | 0 | TCM Selection | 00000000 | ... |- | 9 | 8 | 0 | Cache Behavior Override | 00000000 | ... |} == Clock Gates == The clock gate registers are: {| class="wikitable" ! Address !! Name |- | 0x3C500048 | GATES[0] |- | 0x3C50004C | GATES[1] |- | 0x3C500058 | GATES[4] |- | 0x3C500068 | GATES[8] |- | 0x3C50006C | GATES[9] |} GATES[2, 3, 5, 6, 7], etc seem to be unused. A clock is enabled by setting a corresponding bit (GATE[n][m]) low. The following clock gates have been extracted by analyzing debug structures in OSOS. We also provide the 'numerical' argument that can be passed to the clkgen_{enable,disable}_gate function calls in the BootROM. The BootROM will automatically enable some function-related gates together if one is specified. This is probably a leftover from earlier codebases where one functionality would correspond to one clock gate bit, while now a functionality might be gated behind multiple bits. {| class="wikitable" ! Function !! Register(s)/Bit(s) !! Number in BootROM |- | AES | GATE[0][7] | 7 |- | AMC | GATE[0][3] | 3 |- | AMC-core | GATE[0][4] | 4 |- | AMCSS | GATE[1][17] | 38 |- | ARM-core | GATE[0][15] | 15 |- | ARM-icu | GATE[0][16] | 16 |- | ARM-sleep | GATE[0][20] | 20 |- | AXI-bus | GATE[1][18] | 39 |- | AXI-spine | GATE[8][13] | 63 |- | AXI-video | GATE[8][14] | 64 |- | CAMIF | GATE[0][17], GATE[8][15] | 17, 65 |- | CEATA | GATE[0][6] | 6 |- | CLCD | GATE[8][9] | 59 |- | CLCD-OTF | GATE[8][10] | 60 |- | CSIS | GATE[0][18] | 18 |- | DDR-MIU | GATE[9][17] | 89 |- | DMAC0 | GATE[0][11] | 11 |- | DMAC1 | GATE[0][12] | 12 |- | DMAX | GATE[8][8] | 58 |- | ECC | GATE[0][9] | 9 |- | ECID | GATE[1][14] | 35 |- | FMC | GATE[0][5] | 5 |- | GPIO | GATE[1][12] | 33 |- | H264 | GATE[8][2], GATE[9][18] | 52, 90 |- | H264ENC | GATE[4][7], GATE[8][16], GATE[8][17] | 60, 66, 67 |- | IIC0 | GATE[1][4], GATE[9][11] | 25, 83 |- | IIC1 | GATE[1][6], GATE[9][12] | 27, 84 |- | IIS0 | GATE[1][7] | 28 |- | IIS1 | GATE[1][10] | 31 |- | IIS2 | GATE[1][16] | 37 |- | JPEG | GATE[0][19] | 19 |- | LCD | GATE[0][1], GATE[9][16] | 1, 88 |- | MBX-3D | GATE[8][6] | 56 |- | MBX-bus | GATE[8][7] | 57 |- | MBX-core | GATE[8][5] | 55 |- | MIPI-link | GATE[1][19] | 40 |- | MIXER | GATE[8][1] | 51 |- | MPVD | GATE[8][3] | 53 |- | PKE | GATE[1][13] | 34 |- | PL301MPVD | GATE[1][21] | 42 |- | PRNG | GATE[1][0] | 21 |- | RINGOSC | GATE[4][0] | 53 |- | SCALER | GATE[8][4], GATE[9][25] | 54, 97 |- | SDIO | GATE[0][8] | 8 |- | SHA1 | GATE[0][0] | 0 |- | SPD | GATE[1][8] | 29 |- | SPI0 | GATE[1][2], GATE[9][13] | 23, 85 |- | SPI1 | GATE[1][11], GATE[9][14] | 32, 86 |- | SPI2 | GATE[1][15], GATE[9][15] | 36, 87 |- | SPI3 | GATE[4][1], GATE[9][19] | 54, 91 |- | SPI4 | GATE[4][4], GATE[9][20] | 57, 92 |- | SWI | GATE[4][2], GATE[9][21] | 55, 93 |- | TIMER0 | GATE[1][5], GATE[9][0] | 26, 72 |- | TIMER1 | GATE[1][23], GATE[9][1] | 44, 73 |- | TIMER2 | GATE[1][24], GATE[9][2] | 45, 74 |- | TIMER3 | GATE[1][25], GATE[9][3] | 46, 75 |- | TIMER4 | GATE[1][26], GATE[9][4] | 47, 76 |- | TIMER5 | GATE[1][27], GATE[9][5] | 48, 77 |- | TIMER6 | GATE[1][28], GATE[9][6] | 49, 78 |- | TIMER7 | GATE[4][5], GATE[9][22] | 58, 94 |- | TIMER8 | GATE[4][6], GATE[9][23] | 59, 95 |- | TVOUT | GATE[0][10] | 10 |- | TW | GATE[1][1] | 22 |- | UART0 | GATE[1][9], GATE[9][7] | 30, 79 |- | UART1 | GATE[1][29], GATE[9][8] | 50, 80 |- | UART2 | GATE[1][30], GATE[9][9] | 51, 81 |- | UART3 | GATE[1][31], GATE[9][10] | 52, 82 |- | UART4 | GATE[4][8], GATE[9][26] | 61, 98 |- | USB-OTG | GATE[0][2] | 2 |- | USB2-PHY | GATE[1][3] | 24 |- | VP | GATE[8][0] | 50 |- | VROM | GATE[0][13] | 13 |- | XMC | GATE[8][12] | 62 |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 e1e0d76945c421e90e0dad2e056c0c2a0023c841 21981 21941 2023-01-09T16:31:50Z Q3k 6232 wikitext text/x-wiki [[Image:nano_5g_frt_a.png|500px]] [[Image:nano_5g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8730 | 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931 | Printed backwards on the chip - how sneaky. ARM1176JZF-S core (per CP15 data). |- | | SDRAM | | | Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 8 | NAND Flash | Various 8/16 GB chips | TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE | One example is TH58NVG6D2ELA49 visible on the iFixit Teardown |- | 1 | Power manager | Probably Dialog | 338S0707, -AD, 09278HGZ | Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device. |- | 3 | | | | |- | 4 | | | | |- | 5 | Audio codec | Cirrus Logic CLI1480A | 338S0559, ATWV0926, SGP | Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp |- | 6 | Accelerometer | [http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/DATASHEET/CD00213611.pdf LIS331DLM] | 33DM, 2910 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 7 | | | 0630, CK9Y, 925 | |} == Code Execution == Code execution on the Nano 5G was achieved by blindly porting [[WInd3x|wInd3x]]. == CP15 Registers == Dump of CP15 registers from bootrom context: {| class="wikitable" ! cX !! cY !! opc2 !! Description !! Value !! Interpretation |- | 0 | 0 | 0 | Main ID | 410fb764 | ARM (0x41), Variant 0, Architecture: see CPUID, Part: ARM1176 |- | 0 | 0 | 1 | Cache Type | 1d152152 | Write back, format C cache lockdown, Register 7 cache cleaning operations, separate I/D caches; data cache: (no restriction on page allocation, 16KB, 4-way associative, 2 word line length) istrunction cache: (no restrictions on page allocation, 16KB, 4-way, 2 word) |- | 0 | 0 | 2 | TCM Status | 00000000 | No tightly coupled memory. |- | 0 | 0 | 3 | TLB Type | 00000800 | |- | 0 | 1 | 0 | Processor Feature 0 | 00000111 | Jazelle, Thumb1, ARM (no Thumb2) |- | 0 | 1 | 1 | Processor Feature 1 | 00000011 | Security Extensions Architecture v1, Standard ARMv4 programmer's model. No microcontroller model. |- | 0 | 1 | 2 | Debug Feature 0 | 00000033 | v6.1 Secure Debug, v6.1 Debug. |- | 0 | 1 | 3 | Auxiliary Feature 0 | 00000000 | |- | 0 | 1 | 4 | Memory Model Feature 0 | 01130003 | Standard ARM1176JZF-S. |- | 0 | 1 | 5 | Memory Model Feature 1 | 10030302 | Standard ARM1176JZF-S. |- | 0 | 1 | 6 | Memory Model Feature 2 | 01222100 | Standard ARM1176JZF-S. |- | 0 | 1 | 7 | Memory Model Feature 3 | 00000000 | Standard ARM1176JZF-S. |- | 0 | 2 | 0 | Instruction Set Feature Attribute 0 | 00140011 | Standard ARM1176JZF-S. |- | 0 | 2 | 1 | Instruction Set Feature Attribute 1 | 12002111 | Standard ARM1176JZF-S. |- | 0 | 2 | 2 | Instruction Set Feature Attribute 2 | 11231121 | Standard ARM1176JZF-S. |- | 0 | 2 | 3 | Instruction Set Feature Attribute 3 | 01102131 | Standard ARM1176JZF-S. |- | 0 | 2 | 4 | Instruction Set Feature Attribute 4 | 00001141 | Standard ARM1176JZF-S. |- | 0 | 2 | 5 | Instruction Set Feature Attribute 5 | 00000000 | Standard ARM1176JZF-S. |- | 1 | 0 | 0 | Control | 00450078 | No Force AP, no TEX remap, CPSR E set to 0 on exception, no VIC, no extended page tables, allow unaligned data access, no fast interrupts, global enable for instruction/data TCM, loads to PC set the T bit, random cache replacement, exceptions vectors at Vector Base Address Register. I$, D$ disabled by wInd3x, branch prediction disabled, no strict alignment fault checking, no MMU. |- | 1 | 0 | 1 | Auxiliary Control | 00000007 | ... |- | 1 | 0 | 2 | Coprocessor Access Control | 00000000 | ... |- | 1 | 1 | 0 | Secure Configuration | 00000000 | ... |- | 1 | 1 | 1 | Secure Debug Enable | 00000000 | ... |- | 1 | 1 | 2 | Non-Secure Access Control | 00000000 | ... |- | 2 | 0 | 0 | Translation Table Base 0 | 00000000 | ... |- | 2 | 0 | 1 | Translation Table Base 1 | 00000000 | ... |- | 2 | 0 | 2 | Translation Table Base Control | 00000000 | ... |- | 3 | 0 | 0 | Domain Access Control | 00000000 | ... |- | 7 | 4 | 0 | PCA | 00000000 | ... |- | 7 | 10 | 6 | Cache Dirty Status | 00000000 | ... |- | 9 | 0 | 0 | Data Cache Lockdown | fffffff0 | ... |- | 9 | 0 | 1 | Instruction Cache Lockdown | fffffff0 | ... |- | 9 | 1 | 0 | Data TCM Region | 00000000 | ... |- | 9 | 1 | 1 | Instruction TCM Region | 00000000 | ... |- | 9 | 1 | 2 | Data TCM Non-secure Control Access | 00000000 | ... |- | 9 | 1 | 3 | Instruction TCM Non-secure Control Access | 00000000 | ... |- | 9 | 2 | 0 | TCM Selection | 00000000 | ... |- | 9 | 8 | 0 | Cache Behavior Override | 00000000 | ... |} == Clock Gates == The clock gate registers are: {| class="wikitable" ! Address !! Name |- | 0x3C500048 | GATES[0] |- | 0x3C50004C | GATES[1] |- | 0x3C500058 | GATES[4] |- | 0x3C500068 | GATES[8] |- | 0x3C50006C | GATES[9] |} GATES[2, 3, 5, 6, 7], etc seem to be unused. A clock is enabled by setting a corresponding bit (GATE[n][m]) low. The following clock gates have been extracted by analyzing debug structures in OSOS. We also provide the 'numerical' argument that can be passed to the clkgen_{enable,disable}_gate function calls in the BootROM. The BootROM will automatically enable some function-related gates together if one is specified. This is probably a leftover from earlier codebases where one functionality would correspond to one clock gate bit, while now a functionality might be gated behind multiple bits. {| class="wikitable" ! Function !! Register(s)/Bit(s) !! Number in BootROM |- | AES | GATE[0][7] | 7 |- | AMC | GATE[0][3] | 3 |- | AMC-core | GATE[0][4] | 4 |- | AMCSS | GATE[1][17] | 38 |- | ARM-core | GATE[0][15] | 15 |- | ARM-icu | GATE[0][16] | 16 |- | ARM-sleep | GATE[0][20] | 20 |- | AXI-bus | GATE[1][18] | 39 |- | AXI-spine | GATE[8][13] | 63 |- | AXI-video | GATE[8][14] | 64 |- | CAMIF | GATE[0][17], GATE[8][15] | 17, 65 |- | CEATA | GATE[0][6] | 6 |- | CLCD | GATE[8][9] | 59 |- | CLCD-OTF | GATE[8][10] | 60 |- | CSIS | GATE[0][18] | 18 |- | DDR-MIU | GATE[9][17] | 89 |- | DMAC0 | GATE[0][11] | 11 |- | DMAC1 | GATE[0][12] | 12 |- | DMAX | GATE[8][8] | 58 |- | ECC | GATE[0][9] | 9 |- | ECID | GATE[1][14] | 35 |- | FMC | GATE[0][5] | 5 |- | GPIO | GATE[1][12] | 33 |- | H264 | GATE[8][2], GATE[9][18] | 52, 90 |- | H264ENC | GATE[4][7], GATE[8][16], GATE[8][17] | 60, 66, 67 |- | IIC0 | GATE[1][4], GATE[9][11] | 25, 83 |- | IIC1 | GATE[1][6], GATE[9][12] | 27, 84 |- | IIS0 | GATE[1][7] | 28 |- | IIS1 | GATE[1][10] | 31 |- | IIS2 | GATE[1][16] | 37 |- | JPEG | GATE[0][19] | 19 |- | LCD | GATE[0][1], GATE[9][16] | 1, 88 |- | MBX-3D | GATE[8][6] | 56 |- | MBX-bus | GATE[8][7] | 57 |- | MBX-core | GATE[8][5] | 55 |- | MIPI-link | GATE[1][19] | 40 |- | MIXER | GATE[8][1] | 51 |- | MPVD | GATE[8][3] | 53 |- | PKE | GATE[1][13] | 34 |- | PL301MPVD | GATE[1][21] | 42 |- | PRNG | GATE[1][0] | 21 |- | RINGOSC | GATE[4][0] | 53 |- | SCALER | GATE[8][4], GATE[9][25] | 54, 97 |- | SDIO | GATE[0][8] | 8 |- | SHA1 | GATE[0][0] | 0 |- | SPD | GATE[1][8] | 29 |- | SPI0 | GATE[1][2], GATE[9][13] | 23, 85 |- | SPI1 | GATE[1][11], GATE[9][14] | 32, 86 |- | SPI2 | GATE[1][15], GATE[9][15] | 36, 87 |- | SPI3 | GATE[4][1], GATE[9][19] | 54, 91 |- | SPI4 | GATE[4][4], GATE[9][20] | 57, 92 |- | SWI | GATE[4][2], GATE[9][21] | 55, 93 |- | TIMER0 | GATE[1][5], GATE[9][0] | 26, 72 |- | TIMER1 | GATE[1][23], GATE[9][1] | 44, 73 |- | TIMER2 | GATE[1][24], GATE[9][2] | 45, 74 |- | TIMER3 | GATE[1][25], GATE[9][3] | 46, 75 |- | TIMER4 | GATE[1][26], GATE[9][4] | 47, 76 |- | TIMER5 | GATE[1][27], GATE[9][5] | 48, 77 |- | TIMER6 | GATE[1][28], GATE[9][6] | 49, 78 |- | TIMER7 | GATE[4][5], GATE[9][22] | 58, 94 |- | TIMER8 | GATE[4][6], GATE[9][23] | 59, 95 |- | TVOUT | GATE[0][10] | 10 |- | TW | GATE[1][1] | 22 |- | UART0 | GATE[1][9], GATE[9][7] | 30, 79 |- | UART1 | GATE[1][29], GATE[9][8] | 50, 80 |- | UART2 | GATE[1][30], GATE[9][9] | 51, 81 |- | UART3 | GATE[1][31], GATE[9][10] | 52, 82 |- | UART4 | GATE[4][8], GATE[9][26] | 61, 98 |- | USB-OTG | GATE[0][2] | 2 |- | USB2-PHY | GATE[1][3] | 24 |- | VP | GATE[8][0] | 50 |- | VROM | GATE[0][13] | 13 |- | XMC | GATE[8][12] | 62 |} ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157 Other: *http://purpleskank.wikidot.com/ipod-nano-5g *http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271 a41a3144015ae185d585b86d6365516e4266d267 0 268 21944 4190 2023-01-03T18:43:06Z Q3k 6232 wikitext text/x-wiki = Nano 3G EFI = {| class="wikitable prettytable sortable" |+ List of EFI protocol GUIDs found in the Nano 3G EFI |- ! GUID !! Description |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> | GUID at DxeD1671 +0x103C, registered at DxeD1671 +0x6F6, interface (at DxeD1671 +0xFAC): * +0 pmu_read(void *this, char reg, unsigned int size, void *data); * +4 pmu_write(void *this, char reg, unsigned int size, void *data); |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> | GUID at Cpu +0x8E0, registered at Cpu +0x37C, interface (at Cpu +0x894): * +0 int disable_MMU_and_Caches(void* this); * +4 int enable_MMU_and_Caches(void* this); |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> | GUID at Cpu +0x8C4, registered at Cpu +0x37C, interface (at Cpu +0x89C): [http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL] |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> | GUID at DxeSmbus +0x6D8, registered at DxeSmbus +0x404, interface (at DxeSmbus +0x6BC): [http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL] |- | <0x26BACCB2, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> | GUID at S5L8900Metronome +0x4FC, registered at S5L8900Metronome +0x246, interface (at S5L8900Metronome +0x4F4): [http://www.cse.msu.edu/~austinro/dox/html/struct___e_f_i___m_e_t_r_o_n_o_m_e___a_r_c_h___p_r_o_t_o_c_o_l.html _EFI_METRONOME_ARCH_PROTOCOL], TickPeriod = 10 |- | <0xD15BFD46, 0x954C, 0x478D, 0xA5, 0x4C, 0x36, 0xD4, 0xD8, 0xCD, 0xB0, 0xD0> | GUID at Nand +0xA5F4, registered at Nand +0x3F6, interface is emtpy: used by BDS to detect NAND (as it doesn't access it's BlockIO interface directly) |- | <0x964e5b21, 0x6459, 0x11d2, {0x8e, 0x39, 0x0, 0xa0, 0xc9, 0x69, 0x72, 0x3b}> | GUID at Nand +0xA5D4, registered at Nand +0x3F6, interface (at Nand +0x84E8): [http://feishare.com/edk2doxygen/d8/dcb/struct___e_f_i___b_l_o_c_k___i_o___p_r_o_t_o_c_o_l.html _EFI_BLOCK_IO_PROTOCOL] |- | <0x9576e91, 0x6d3f, 0x11d2, {0x8e, 0x39, 0x0, 0xa0, 0xc9, 0x69, 0x72, 0x3b}> | GUID at Nand +0xA5E4, registered at Nand +0x3F6, interface (at Nand +0x8508): [http://feishare.com/edk2doxygen/d6/d11/struct_e_f_i___d_e_v_i_c_e___p_a_t_h___p_r_o_t_o_c_o_l.html EFI_DEVICE_PATH_PROTOCOL] as [http://feishare.com/edk2doxygen/dc/d04/struct_v_e_n_d_o_r___d_e_v_i_c_e___p_a_t_h.html VENDOR_DEVICE_PATH] GUID: <0xEEE84FD3, 0xD696, 0x4DCF, 0x94, 0x15, 0xF8, 0x21, 0xA4, 0, 0x72, 0x6E> |- |} = Nano 4G EFI = {| class="wikitable prettytable sortable" |+ This is a list of all GUIDs found in various Apple code that we've analyzed so far |- ! GUID !! Source !! Description |- | <0x3FD4147F, 0xAF65, 0x49B0, 0x78CE098, 0x8BC1132B> || Nano4G EFI || DisplayPlatform:40030540 |- | <0x4EEECD0C, 0xAE61, 0x4977, 0xBE3AA2AA, 0x12004FC2> || Nano4G EFI || Timer:40020488 |- | <0x144D4ACA, 0x93EF, 0x47E4, 0xCAB686A4, 0x81D57EF9> || Nano4G EFI || Lcd:40090620 |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || DisplayPlatform:40030540 |- | <0xC4FE7984, 0xC067, 0x4179, 0x857A288, 0x6516C7B4> || Nano4G EFI || NandReadOnly:400C6324,NandReadWrite:4063B84C |- | <0xD5406504, 0x2822, 0x4AF7, 0xEA7127AB, 0x4D1E0EE9> || Nano4G EFI || NandReadOnly:400C6334,NandReadWrite:4063B85C |- | <0x5B7F52C8, 0xF548, 0x4964, 0xE49205B3, 0xAA5BA56> || Nano4G EFI || DxeD1759:40081224 |- | <0xE22D7299, 0x8923, 0x4FB6, 0xF79EF081, 0xC5011DF8> || Nano4G EFI || DxeD1759:4008122C |- | <0xE9A6AA07, 0x6C26, 0x4643, 0x571BF8A3, 0xDB3C544C> || Nano4G EFI || DxeD1759:40081250 |- | <0x98AA9B39, 0x1794, 0x448F, 0x789B378B, 0x4B0B499C> || Nano4G EFI || DxeD1759:40081244 |- | <0x28B7E144, 0xD74D, 0x46B1, 0xF5689495, 0xC9777C25> || Nano4G EFI || DxeD1759:40081210 |- | <0xEB86F814, 0x80F7, 0x4EEC, 0x606824AA, 0x55A94602> || Nano4G EFI || DxeD1759:40081204 |- | <0xDBFDB08, 0xB500, 0x4996, 0x1E4F959A, 0x934D2> || Nano4G EFI || DxeD1759:40081214 |- | <0x3D4AA229, 0xB4E3, 0x4FD9, 0xEA90C99E, 0x3E832381> || Nano4G EFI || DxeD1759:40081234 |- | <0xBD9A3AB2, 0x3A5C, 0x4CED, 0x2C4060B6, 0x21980D72> || Nano4G EFI || DxeD1759:40081200 |- | <0x5CF6E3E, 0x458D, 0x4401, 0xC3D689B, 0xFD08109> || Nano4G EFI || DxeD1759:40081208 |- | <0xECCA55D7, 0xEC52, 0x4F13, 0xBC32CBB7, 0x42CEDF0A> || Nano4G EFI || DxeD1759:4008120C |- | <0x26BACCB1, 0x6F42, 0x11D4, 0x8000E7BC, 0x81883CC7> ([http://feishare.com/edk2doxygen/d2/df2/struct___e_f_i___c_p_u___a_r_c_h___p_r_o_t_o_c_o_l.html EFI_CPU_ARCH_PROTOCOL_GUID]) || Nano4G EFI || Cpu:400A06EC (Nano4G) |- | <0x869D50FA, 0x2C74, 0x44D3, 0xEEEE0582, 0x76994CBF> || Nano4G EFI || Cpu:400A06F4 |- | <0x3A6E3065, 0xCB91, 0x4DB1, 0xEED0E19A, 0x4300999B> || Nano4G EFI || ClockAndReset:4011191C |- | <0x1D602E87, 0xC708, 0x4ED3, 0xB0DB4D96, 0x1D2B46B1> || Nano4G EFI || MemoryAllocator:40190310 |- | <0xE49D33ED, 0x513D, 0x4634, 0x556F98B6, 0x1B1C75AA> ([http://feishare.com/edk2doxygen/db/d6c/struct___e_f_i___s_m_b_u_s___h_c___p_r_o_t_o_c_o_l.html EFI_SMBUS_HC_PROTOCOL]) || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:40130498, DxeSmbus:401303F4, DxeSmbus:4013055C, DxeSmbus:40130564 (registered twice) |- | <0x487E8E93, 0xEF97, 0x4E77, 0x3E1628A4, 0x625F7170> || Nano4G EFI || Pointers to malloc'ed tables containing DxeSmbus:401303CC, 3C600000 (bus 0) / DxeSmbus:401303E0, 3C900000 (bus 1) |- | <0x17A0A3D7, 0xC0A5, 0x4635, 0x2107D5BB, 0xEEE2DF87> || Nano4G EFI || Gpio:4027031C |- | <0xE124AC3F, 0x3898, 0x44AA, 0x17E9958A, 0xB244869F> || Nano4G EFI || Usb:401D02B0 |- | <0xC39B4F3A, 0xF24D, 0x4F8D, 0x82564584, 0x1FC1107F> || Nano4G EFI || Nand:40150C1C |- | <0x8708298A, 0xEEB2, 0x475F, 0xBF9EC296, 0x45163472> || Nano4G EFI || Nand:40150C78 |- | <0xC71EFCAD, 0x7B2E, 0x46D3, 0x4B4420A0, 0xAFEC727F> || Nano4G EFI || Nand:40150C28 |- | <0xA584D32F, 0x9837, 0x420B, 0x9D312694, 0xFBDBE98C> || Nano4G EFI || Nand:40150C30 |- | <0x964E5B21, 0x6459, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C58 |- | <0x9576E91, 0x6D3F, 0x11D2, 0xA000398E, 0x3B7269C9> || Nano4G EFI || Nand:40150C9C |- | <0xD15BFD46, 0x954C, 0x478D, 0xD4364CA5, 0xD0B0CDD8> || Nano4G EFI || NULL |- | <0xE8A9E232, 0x1708, 0x476D, 0xB10CDB9A, 0x20D9902E> || Nano4G EFI || DxeD1759Diagnostic:40310684 |- | <0x618BA6A2, 0x690E, 0x4E7A, 0x1AB2E98E, 0xF865A959> || Nano4G EFI || DxeD1759Diagnostic:403106A4 |- | <0x3622282D, 0xC57F, 0x4A7A, 0xD137CAAD, 0x2233AF3C> || Nano4G EFI || Swif:405F02E0 |- |} = Nano5G EFI = {| class="wikitable prettytable sortable" |- ! GUID !! Name || Source !! Function |- | rowspan=1 | c8906621-cf6f-ae4d-b750-128e4de659da || rowspan=1 | Aes || rowspan=1 | AES.efi || ''TODO'' |- | rowspan=1 | f63f5e66-cc46-d411-9a38-0090273fc14d || rowspan=1 | Bds || rowspan=1 | BDS.efi || ''TODO'' |- | rowspan=1 | 65306e3a-91cb-b14d-9ae1-d0ee9b990043 || rowspan=1 | ClockAndReset || rowspan=1 | ClockAndReset.efi || ''TODO'' |- | rowspan=3 | 3909986b-0bc7-794e-b8b5-a6cf0739bc7b || rowspan=3 | AppleImageValidationManager || rowspan=3 | AppleImageValidationManager.efi || ValidateInMemory |- | ValidateFromReader |- | Validate |- | rowspan=1 | bdee7fca-5f93-1f4c-b526-446c41360342 || rowspan=1 | SystemConfig || rowspan=1 | SystemConfig.efi || ''TODO'' |- | rowspan=5 | 7d6e5cf2-557f-294f-9246-219d80e6282e || rowspan=5 | ROMBootValidator || rowspan=5 | ROMBootValidator.efi || GetID |- | CheckHeader |- | ReadCheckHeader |- | CheckHeaderBody |- | ReadCheckHeaderBody |- | rowspan=1 | 1506464c-224d-894a-8d52-eaf81fe17b29 || rowspan=1 | RestoreDFU || rowspan=1 | RestoreDFU.efi || ''TODO'' |- | rowspan=5 | 872e601d-08c7-d34e-964d-dbb0b1462b1d || rowspan=5 | MemoryAllocator || rowspan=5 | MemoryAllocator.efi || Unk0 |- | Unk4 |- | Allocate |- | MustAllocate |- | Free |- | rowspan=1 | 8be1280d-a305-8642-8aa7-defe6884bad0 || rowspan=1 | InterrruptController || rowspan=1 | InterruptController.efi || ''TODO'' |- | rowspan=1 | f0ab54f3-79e1-e841-87a8-f12a52624a23 || rowspan=1 | UsbDeviceController || rowspan=1 | UsbDeviceController.efi || ''TODO'' |- | rowspan=1 | b1ccba26-426f-d411-bce7-0080c73c8881 || rowspan=1 | Cpu || rowspan=1 | Cpu.efi || ''TODO'' |- | rowspan=1 | f0be64f3-7fc8-c04c-a38d-1fdeef1f3168 || rowspan=1 | Sha1 || rowspan=1 | Sha1.efi || ''TODO'' |- | rowspan=7 | f21eeedd-49dc-9947-90e6-4b0c8bd36810 || rowspan=7 | ChipId || rowspan=7 | ChipId.efi || GetProductionMode |- | Unk4 |- | Unk8 |- | Unk12 |- | Unk16 |- | Unk20 |- | Unk24 |- |} d8e3a41ae3dc3460a342b66356fd138784fafec5 0 6431 21945 2023-01-09T15:27:58Z Q3k 6232 Created page with "== wInd3x Vulnerability == A bootrom vulnerability discovered and exploited by [[User:Q3k|q3k]] in December 2021. It allows code execution over USB due to a bug in the USB st..." wikitext text/x-wiki == wInd3x Vulnerability == A bootrom vulnerability discovered and exploited by [[User:Q3k|q3k]] in December 2021. It allows code execution over USB due to a bug in the USB stack. === Affected Devices === {| class="wikitable" |- ! Device/SoC !! Vulnerable? !! Exploited? |- | [[Nano 3G]] || Yes || Yes |- | [[Nano 4G]] || Yes || Yes |- | [[Nano 5G]] || Yes || Yes |- | [[Nano 6G]] || No || |- | [[Nano 7G]] || No || |- | Classic “6G” || Yes || Yes |- | iPhone || ? || |- | iPhone 3G || Yes || No |} === Running / Usage === See [https://github.com/freemyipod/wInd3x github.com/freemyipod/wInd3x]. === Vulnerability === This exploits a vulnerability in the standard SETUP packet parsing code of the bootrom, in which the wIndex parameter is not checked for bmRequest == {0x20, 0x40}, but is still used to index an array of interface/class handlers (that in the Bootrom has a length of 1). ==== Nano 4G and 5G Exploit Chain ==== The first requirement is to find a suitable (blx r0) instruction in the bootrom code of the device. For Nano 4G the only one such instruction is at offset 0x3b0, and for Nano 5G there is such instruction at 0x37c. We'll refer to it as X below. We abuse the fact that wIndex == 3 for bmRequest 0x40 treats a 'bytes left to sent over USB' counter as a function pointer and calls it with r0 == address of SETUP. We massage the DFU mode into attempting to send us X+0x40 bytes, and failing after 0x40 bytes, thereby leaving the counter at X bytes and executing code at address X. Since the bootrom is mapped at offset 0x0 as well as 0x20000000 at boot, this means we execute bootrom code, and X happens to point to a 'blx r0' instruction. This in turn causes the CPU to interpret the SETUP packet received as ARM code, because the SETUP handler is called with the SETUP packet as its argument, i.e. r0. We specially craft the SETUP packet to be a valid ARM branch instruction, pointing somewhere into a temporary DFU image buffer. By first sending a payload as a partial DFU image (aborting before causing a MANIFEST), we finally get up to be able to execute either 0x800 on Nano 4G or 0x400 on Nano 5G bytes of fully user controlled code. In that payload, we send a stub which performs some runtime changes to the DFU's data structures to a) return a different product string b) overwrite an image verification vtable entry with a function that allows unsigned images. Some SRAM is carved out by this pay ==== Nano 3G and Classic (”6G”) ==== With bRequestType == 0x20 and wIndex == 6 we directly jump to code execution at the SETUP packet. This Bootroom does not have a VTable which can be easily hooked to override functions to provide Haxed DFU functionality. However, an 'OnImage' function pointer is present in the State structure, which we override with our own code (copied to carved out SRAM). This code reimplements the bare minimum of the hooked function, without calling any decryption/verification code on the header/body. 13ada3881f02a16588ec25b8d5f73634f4448564 21967 21945 2023-01-09T16:18:30Z Q3k 6232 wikitext text/x-wiki == wInd3x Vulnerability == A bootrom vulnerability discovered and exploited by [[User:Q3k|q3k]] in December 2021. It allows code execution over USB due to a bug in the USB stack. === Affected Devices === {| class="wikitable" |- ! Device/SoC !! Vulnerable? !! Exploited? |- | [[Nano 3G]] || Yes || Yes |- | [[Nano 4G]] || Yes || Yes |- | [[Nano 5G]] || Yes || Yes |- | [[Nano 6G]] || No || |- | [[Nano 7G]] || No || |- | Classic “6G” || Yes || Yes |- | iPhone || ? || |- | iPhone 3G || Yes || No |} === Running / Usage === wInd3x currently allows you to: # Decrypt [[IMG1]] files, like [[OSOS]] or the bootloader/[[WTF]]/... # Access arbitrary memory and experiment with peripherals # Run unsigned DFU payloads # Run an unsigned [[OSOS]] or [[U-Boot]] by first running an automatically patched [[WTF]]. For guides, see [https://github.com/freemyipod/wInd3x github.com/freemyipod/wInd3x] === Vulnerability === This exploits a vulnerability in the standard SETUP packet parsing code of the bootrom, in which the wIndex parameter is not checked for bmRequest == {0x20, 0x40}, but is still used to index an array of interface/class handlers (that in the Bootrom has a length of 1). ==== Nano 4G and 5G Exploit Chain ==== The first requirement is to find a suitable (blx r0) instruction in the bootrom code of the device. For Nano 4G the only one such instruction is at offset 0x3b0, and for Nano 5G there is such instruction at 0x37c. We'll refer to it as X below. We abuse the fact that wIndex == 3 for bmRequest 0x40 treats a 'bytes left to sent over USB' counter as a function pointer and calls it with r0 == address of SETUP. We massage the DFU mode into attempting to send us X+0x40 bytes, and failing after 0x40 bytes, thereby leaving the counter at X bytes and executing code at address X. Since the bootrom is mapped at offset 0x0 as well as 0x20000000 at boot, this means we execute bootrom code, and X happens to point to a 'blx r0' instruction. This in turn causes the CPU to interpret the SETUP packet received as ARM code, because the SETUP handler is called with the SETUP packet as its argument, i.e. r0. We specially craft the SETUP packet to be a valid ARM branch instruction, pointing somewhere into a temporary DFU image buffer. By first sending a payload as a partial DFU image (aborting before causing a MANIFEST), we finally get up to be able to execute either 0x800 on Nano 4G or 0x400 on Nano 5G bytes of fully user controlled code. In that payload, we send a stub which performs some runtime changes to the DFU's data structures to a) return a different product string b) overwrite an image verification vtable entry with a function that allows unsigned images. Some SRAM is carved out by this pay ==== Nano 3G and Classic (”6G”) ==== With bRequestType == 0x20 and wIndex == 6 we directly jump to code execution at the SETUP packet. This Bootroom does not have a VTable which can be easily hooked to override functions to provide Haxed DFU functionality. However, an 'OnImage' function pointer is present in the State structure, which we override with our own code (copied to carved out SRAM). This code reimplements the bare minimum of the hooked function, without calling any decryption/verification code on the header/body. 563fdc6012985f57f843ad4222e9673f8758987d 21970 21967 2023-01-09T16:22:36Z Q3k 6232 wikitext text/x-wiki == wInd3x Vulnerability == A [[Bootrom]] vulnerability discovered and exploited by [[User:Q3k|q3k]] in December 2021. It allows code execution in the bootrom over USB. === Affected Devices === {| class="wikitable" |- ! Device/SoC !! Vulnerable? !! Exploited? |- | [[Nano 3G]] || Yes || Yes |- | [[Nano 4G]] || Yes || Yes |- | [[Nano 5G]] || Yes || Yes |- | [[Nano 6G]] || No || |- | [[Nano 7G]] || No || |- | Classic “6G” || Yes || Yes |- | iPhone || ? || |- | iPhone 3G || Yes || No |} === Running / Usage === wInd3x currently allows you to: # Decrypt [[IMG1]] files, like [[OSOS]] or the bootloader/[[WTF]]/... # Access arbitrary memory and experiment with peripherals # Run unsigned DFU payloads # Run an unsigned [[OSOS]] or [[U-Boot]] by first running an automatically patched [[WTF]]. For guides, see [https://github.com/freemyipod/wInd3x github.com/freemyipod/wInd3x] === Vulnerability === This exploits a vulnerability in the standard SETUP packet parsing code of the bootrom, in which the wIndex parameter is not checked for bmRequest == {0x20, 0x40}, but is still used to index an array of interface/class handlers (that in the Bootrom has a length of 1). ==== Nano 4G and 5G Exploit Chain ==== The first requirement is to find a suitable (blx r0) instruction in the bootrom code of the device. For Nano 4G the only one such instruction is at offset 0x3b0, and for Nano 5G there is such instruction at 0x37c. We'll refer to it as X below. We abuse the fact that wIndex == 3 for bmRequest 0x40 treats a 'bytes left to sent over USB' counter as a function pointer and calls it with r0 == address of SETUP. We massage the DFU mode into attempting to send us X+0x40 bytes, and failing after 0x40 bytes, thereby leaving the counter at X bytes and executing code at address X. Since the bootrom is mapped at offset 0x0 as well as 0x20000000 at boot, this means we execute bootrom code, and X happens to point to a 'blx r0' instruction. This in turn causes the CPU to interpret the SETUP packet received as ARM code, because the SETUP handler is called with the SETUP packet as its argument, i.e. r0. We specially craft the SETUP packet to be a valid ARM branch instruction, pointing somewhere into a temporary DFU image buffer. By first sending a payload as a partial DFU image (aborting before causing a MANIFEST), we finally get up to be able to execute either 0x800 on Nano 4G or 0x400 on Nano 5G bytes of fully user controlled code. In that payload, we send a stub which performs some runtime changes to the DFU's data structures to a) return a different product string b) overwrite an image verification vtable entry with a function that allows unsigned images. Some SRAM is carved out by this pay ==== Nano 3G and Classic (”6G”) ==== With bRequestType == 0x20 and wIndex == 6 we directly jump to code execution at the SETUP packet. This Bootroom does not have a VTable which can be easily hooked to override functions to provide Haxed DFU functionality. However, an 'OnImage' function pointer is present in the State structure, which we override with our own code (copied to carved out SRAM). This code reimplements the bare minimum of the hooked function, without calling any decryption/verification code on the header/body. ce3360123803487e4a6f21ca8c69087cc801cb0a 21971 21970 2023-01-09T16:23:05Z Q3k 6232 wikitext text/x-wiki == wInd3x Vulnerability == A [[S5L8720 Bootrom|Bootrom]] vulnerability discovered and exploited by [[User:Q3k|q3k]] in December 2021. It allows code execution in the bootrom over USB. === Affected Devices === {| class="wikitable" |- ! Device/SoC !! Vulnerable? !! Exploited? |- | [[Nano 3G]] || Yes || Yes |- | [[Nano 4G]] || Yes || Yes |- | [[Nano 5G]] || Yes || Yes |- | [[Nano 6G]] || No || |- | [[Nano 7G]] || No || |- | Classic “6G” || Yes || Yes |- | iPhone || ? || |- | iPhone 3G || Yes || No |} === Running / Usage === wInd3x currently allows you to: # Decrypt [[IMG1]] files, like [[OSOS]] or the bootloader/[[WTF]]/... # Access arbitrary memory and experiment with peripherals # Run unsigned DFU payloads # Run an unsigned [[OSOS]] or [[U-Boot]] by first running an automatically patched [[WTF]]. For guides, see [https://github.com/freemyipod/wInd3x github.com/freemyipod/wInd3x] === Vulnerability === This exploits a vulnerability in the standard SETUP packet parsing code of the bootrom, in which the wIndex parameter is not checked for bmRequest == {0x20, 0x40}, but is still used to index an array of interface/class handlers (that in the Bootrom has a length of 1). ==== Nano 4G and 5G Exploit Chain ==== The first requirement is to find a suitable (blx r0) instruction in the bootrom code of the device. For Nano 4G the only one such instruction is at offset 0x3b0, and for Nano 5G there is such instruction at 0x37c. We'll refer to it as X below. We abuse the fact that wIndex == 3 for bmRequest 0x40 treats a 'bytes left to sent over USB' counter as a function pointer and calls it with r0 == address of SETUP. We massage the DFU mode into attempting to send us X+0x40 bytes, and failing after 0x40 bytes, thereby leaving the counter at X bytes and executing code at address X. Since the bootrom is mapped at offset 0x0 as well as 0x20000000 at boot, this means we execute bootrom code, and X happens to point to a 'blx r0' instruction. This in turn causes the CPU to interpret the SETUP packet received as ARM code, because the SETUP handler is called with the SETUP packet as its argument, i.e. r0. We specially craft the SETUP packet to be a valid ARM branch instruction, pointing somewhere into a temporary DFU image buffer. By first sending a payload as a partial DFU image (aborting before causing a MANIFEST), we finally get up to be able to execute either 0x800 on Nano 4G or 0x400 on Nano 5G bytes of fully user controlled code. In that payload, we send a stub which performs some runtime changes to the DFU's data structures to a) return a different product string b) overwrite an image verification vtable entry with a function that allows unsigned images. Some SRAM is carved out by this pay ==== Nano 3G and Classic (”6G”) ==== With bRequestType == 0x20 and wIndex == 6 we directly jump to code execution at the SETUP packet. This Bootroom does not have a VTable which can be easily hooked to override functions to provide Haxed DFU functionality. However, an 'OnImage' function pointer is present in the State structure, which we override with our own code (copied to carved out SRAM). This code reimplements the bare minimum of the hooked function, without calling any decryption/verification code on the header/body. d78ff5ca2bf1acdcabf537e43a3533ba8b4737e5 0 50 21946 21909 2023-01-09T15:35:06Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[wInd3x]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 43f9d3d04899c4b80ed566b19c22bbee179b8ada 21949 21946 2023-01-09T15:42:56Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox]. Freemyipod is a relaunch of [[Linux4nano]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 68343c37ce2ad9f216557d7741949ea85e367d53 21953 21949 2023-01-09T15:55:22Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ Todo list ]] * [[ Project summary ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 9dae9fcef587821f685331a149782c9475c30e65 21958 21953 2023-01-09T15:58:55Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] * [[ Project summary ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 392afd432c1ee782542948c259eb887a940834e9 21959 21958 2023-01-09T15:59:29Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} c36bcb988185927f0adb02de169015bbdc056e1e 21960 21959 2023-01-09T16:10:08Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == What can I do with my iPod Nano 2/3/4/5/6/7? == Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 47affaa0a91b4e9e68d24f44847b2b41010be8d2 21961 21960 2023-01-09T16:11:04Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == What can I do with my iPod Nano 2/3/4/5/6/7? == Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} b357646e7fec43f5cbe382da5b2d02c6d94b1118 21963 21961 2023-01-09T16:14:44Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == What can I do with my iPod Nano 2/3/4/5/6/7? == Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} d5c7832b9a34e9c3107a5fd2a2a4dfe15d5a932a 21964 21963 2023-01-09T16:14:56Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == What can I do with my iPod Nano 2/3/4/5/6/7? == Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 6c5bb0a276032eeb17f0d04183601b33c714efeb 21968 21964 2023-01-09T16:20:01Z Q3k 6232 /* Reverse engineering results */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == What can I do with my iPod Nano 2/3/4/5/6/7? == Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} c4fca3852e043f9d67e8f3fa5d2c4903cab924da 21975 21968 2023-01-09T16:24:55Z Q3k 6232 /* Reverse engineering results */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == What can I do with my iPod Nano 2/3/4/5/6/7? == Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Firmware decryption]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G FTL]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 173b4c8c169f1a08a54e41bceb60188cd80b8bf3 21980 21975 2023-01-09T16:27:08Z Q3k 6232 /* Reverse engineering results */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == What can I do with my iPod Nano 2/3/4/5/6/7? == Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 98623dddb328e259bc74b985a13cc3631bfb5032 8 260 21947 4229 2023-01-09T15:36:50Z Q3k 6232 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Reverse engineering Results ** Firmware|Firmware ** Firmware decryption|Firmware decryption ** GUID table|GUID Table ** Nano 2G ** Nano 3G ** Nano 4G ** Nano 5G * Exploiting ** wInd3x ** Pwnage 2.0|Pwnage 2.0 ** Notes vulnerability|Notes vulnerability * Other Guides ** Modes|Modes * TOOLBOX * LANGUAGES 780a1b189a7c066536cdad16f4a6bb5027e9652f 21954 21947 2023-01-09T15:56:32Z Q3k 6232 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Reverse engineering Results ** Firmware|Firmware ** Firmware decryption|Firmware decryption ** GUID table|GUID Table ** Nano 2G ** Nano 3G ** Nano 4G ** Nano 5G * Exploiting ** WInd3x ** Pwnage 2.0|Pwnage 2.0 ** Notes vulnerability|Notes vulnerability * Other Guides ** Modes|Modes * TOOLBOX * LANGUAGES c5faf7ecf3c257cff51452006a6b2c8ee6c41d11 21969 21954 2023-01-09T16:22:01Z Q3k 6232 wikitext text/x-wiki * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges ** randompage-url|randompage * SEARCH * Info ** Status|Status ** Contact|Contact ** Contributing|Contributing ** Todo list|Todo list ** Project summary|Project summary * Reverse engineering Results ** Firmware|Firmware ** Firmware decryption|Firmware decryption ** GUID table|GUID Table ** Nano 2G ** Nano 3G ** Nano 4G ** Nano 5G * Exploiting ** WInd3x|wIndex ** Pwnage 2.0|Pwnage 2.0 ** Notes vulnerability|Notes vulnerability * Other Guides ** Modes|Modes * TOOLBOX * LANGUAGES 35986d9cf85a41eff39cc3ae9cb37cafc41e9170 0 6432 21948 2023-01-09T15:42:27Z Q3k 6232 Created page with "== U-Boot Port == An experimental U-Boot port for the iPod Nano 5G lives at https://github.com/freemyipod/u-boot/tree/n5g-wip . It can be started using [[wInd3x]] and will s..." wikitext text/x-wiki == U-Boot Port == An experimental U-Boot port for the iPod Nano 5G lives at https://github.com/freemyipod/u-boot/tree/n5g-wip . It can be started using [[wInd3x]] and will start up a CDC-ACM serial console over USB for debugging purposes. Currently it has no storage driver. === Building === make nano5g_defconfig make CROSS_COMPILE=arm-none-eabi- === Running === After building, connect your iPod Nano 5G in [[Modes|DFU Mode]] and use [[wInd3x]] to start U-Boot: ./wInd3x cfw run u-boot.bin When successfully started, U-Boot will then enumerate as a CDC-ACM device, eg. appear as /dev/ttyACM0 on Linux hosts. You can use <code>screen /dev/ttyACM0</code> to connect to the console and experiment with the U-Boot console. e6d0444d0b887a831b57025bc04c9feb92f68832 0 201 21950 3316 2023-01-09T15:44:46Z Q3k 6232 Replaced content with "==GNU ARM toolchain== Use gcc-arm-embedded from your Linux distribution package manager. == Ghidra == [[User:Q3k|q3k]] maintains a Ghidra server with iPod binaries. Acc..." wikitext text/x-wiki ==GNU ARM toolchain== Use gcc-arm-embedded from your Linux distribution package manager. == Ghidra == [[User:Q3k|q3k]] maintains a Ghidra server with iPod binaries. Access available on request. ed07bd71f4a6ea322211c1005931fdadcebd8d14 0 57 21951 4024 2023-01-09T15:46:38Z Q3k 6232 wikitext text/x-wiki The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the freemyipod SVN at http://svn.freemyipod.org/tools/extract2g/. The Windows and the Linux versions can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine. To obtain a list of availible files, type in: <pre>extract2g -l dump.img</pre> Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in: <pre>extract2g -A dump.img</pre> You should now have 3 files: *osos.fw *aupd.fw *rsrc.fw On Nano 4G, you should use the -4 or --4g-compat option in order to dump the correct data from the firmware. This option is considered as a workaround, because the Nano 4G firmwares are detected as Nano 3G's, but the offset is different. To list the files, type in: <pre>extract2g -l -4 dump.img</pre> To extract all files, type in: <pre>extract2g -A -4 dump.img</pre> You should now have 9 files: *appl.fw *bdhw.fw *bdsw.fw *chrg.fw *diag.fw *disk.fw *lbat.fw *osos.fw *rsrc.fw These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in: <pre>extract2g - -help</pre> ===Decrypting blobs=== On iPod Nano3G and above some of these resources (notably [[OSOS|osos.fw]] and other executables) are encrypted and signed. [[wInd3x]] can be used to decrypt them as long as a compatible devices is connected in DFU mode. ===Removing header=== Also if you are using the osos.fw outputted by extract2g in [[emCORE]] you need to remove the 2 KiB header from it: <pre>dd if=osos.fw of=osos.out bs=2048 skip=1</pre> Or alternatively, under Windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0x0 to 0x7FF, then delete this region and save. Then put osos.out into /.boot/AppleOS.bin ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 70f07feed7a3f878d197e7f382a5b03b7ae29db0 0 121 21952 21916 2023-01-09T15:54:48Z Q3k 6232 wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g7g"/> !! [[Nano 7G|"Nano" 7G]]<ref name="nano6g7g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Tethered'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware decryption | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[U-Boot]] | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Boot OF | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">The "Nano" 6G and 7G are something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how these devices works and if we want to do something with them at all.</ref> <ref name="tethered">Nano 5G support is implemented in a tethered fashion via wInd3x, where we re-use parts of the original Apple boot chain which negates the need of some features.</ref> </references> 5be81bfae52b8ce76e0702609aec88d61118aa53 21966 21952 2023-01-09T16:16:05Z Q3k 6232 wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g7g"/> !! [[Nano 7G|"Nano" 7G]]<ref name="nano6g7g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Tethered'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware decryption | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[U-Boot]] | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Boot [[OSOS]] | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">The "Nano" 6G and 7G are something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how these devices works and if we want to do something with them at all.</ref> <ref name="tethered">Nano 5G support is implemented in a tethered fashion via wInd3x, where we re-use parts of the original Apple boot chain which negates the need of some features.</ref> </references> abd51f695673c42a3e7d2379f9ce265e1e259116 0 259 21955 21890 2023-01-09T15:57:27Z Q3k 6232 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have an IRC channel on [https://libera.chat/ Libera]. * You can join it on [ircs://irc.libera.chat/freemyipod #freemyipod]. (Web client [https://web.libera.chat/?channels=#freemyipod here]) IRC logs are available, please check https://logs.freemyipod.org for the logfiles. They might not be up-to-date, and automatic sync is planned. If you have questions about rockbox that are not iPod related, please look for support at [https://www.rockbox.org/ rockbox.org] and if you happen to have any question related to the original iPod firmware please ask elsewhere. == Matrix == The IRC channel above is bridged to <code>#freemyipod:hackerspace.pl</code> on Matrix. == Discord == While not an official channel for support, you can find others interested in iPod Nano/Classic development in the [https://discord.gg/7PnGEXjW3X iPod Nano Hacking discord server]. == Mailing lists == We used to have mailing lists, but they are not operational anymore. == Mail == We used to have individual mailboxes for project members, but they are not operational anymore. 997d6d24a1b5c616ef4a57d6136ad2315db794cc 0 256 21956 3988 2023-01-09T15:58:13Z Q3k 6232 wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 6G]] / [[Nnao 7G]] since we have no means of execution on these device. If you do find such a bug, report it via IRC. ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. 8cb50275517ea80e64b8ede8b68365cad9e661c6 21957 21956 2023-01-09T15:58:22Z Q3k 6232 wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 6G]] / [[Nano 7G]] since we have no means of execution on these device. If you do find such a bug, report it via IRC. ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. ecae5aa84340e5fa2066045f0c46e20d41a8338e 21962 21957 2023-01-09T16:13:46Z Q3k 6232 wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''C''' - Used whenever we can avoid using ARM assembly. *'''Python''' - Python is used often for various scripts we write. ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 6G]] / [[Nano 7G]] since we have no means of execution on these device. [[OSOS]] bugs in any releases are also appreciated, as they might allow to potentially untether [[wInd3x]]. If you find any bug, report it via IRC. ==Development== We need an open-source reimplementation of the [[Nano2G FTL|Samsung Whimory FTL]] used in S5L-based iPods. This will allow us to access the FAT/HFS partition on NAND from any open source software. The FTL is a complex piece of software, and it needs a high-quality, clean-room implementation for reliable read/write access. ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. df79e53bc62e1c5a1ec6347c73a538b6c043dd46 21982 21962 2023-01-09T16:33:13Z Q3k 6232 wikitext text/x-wiki The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project: ==Developing== This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about: *'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources: **[http://simplemachines.it/doc/arm_inst.pdf an ARM primer] **[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref] **[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM] **http://simplemachines.it has great resources for learning ARM *'''Rust''' and '''C''' - Used whenever we can avoid using ARM assembly. *'''Go''' and '''Python''' - Used to implement host-side software like wInd3x and bits of EMcore/Rockbox/... ==Vulnerabilities== If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 6G]] / [[Nano 7G]] since we have no means of execution on these device. [[OSOS]] bugs in any releases are also appreciated, as they might allow to potentially untether [[wInd3x]]. If you find any bug, report it via IRC. ==Development== We need an open-source reimplementation of the [[Nano2G FTL|Samsung Whimory FTL]] used in S5L-based iPods. This will allow us to access the FAT/HFS partition on NAND from any open source software. The FTL is a complex piece of software, and it needs a high-quality, clean-room implementation for reliable read/write access. ==Writing guides== Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information. ==Testing== Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. d31bf76fb33df63f3b250b22675752679dc8869e 2 6418 21965 21895 2023-01-09T16:15:19Z Q3k 6232 wikitext text/x-wiki q3k on libera.chat, @q3k:hackerspace.pl on Matrix, q3k@q3k.org over SMTP. 9d3510d716ebf02eb1682b7eb80f1d1310999075 0 6417 21972 21907 2023-01-09T16:23:16Z Q3k 6232 Q3k moved page [[S5L8720 Bootrom]] to [[Bootrom]] wikitext text/x-wiki == Introduction == The iPod Nano 4G bootrom is different from the iBoot/SecureROM bootrom present on iOS-based S5L8720 devices, like the iPod Touch 2G. The reverse engineering efforts below have been based on a ROM extract from a Nano 4g with the following SHA256 sum: 9cc05fb83024c9d51fd31c97a137447ce5ea87fe7cefba7b9aa6d54609bfbafb . == BootROM functionality == The BootROM can perform the following actions: # Boot from NAND flash (via built-in flash translation layer implementation) # Boot from some other unknown storage (NOR? Although NOR is not present on the N4G...) # Boot from USB DFU mode. The mode is selected based on straps, pressed buttons and mode priorities (first NAND or 'NOR' is performed, then DFU). All three boot paths end up performing the same [[IMG1|image]] verification steps: # Load image into memory at beginning of SRAM. # Verify image header ([[IMG1]] 2.0): perform SHA1 then AES of first 0x40 bytes, compare against stored sum. # Parse footer certificates and verify footer signature against body (undocumented). # Decrypt and jump into body. == Certificate parsing == The certificate parsing code is subject to [[Pwnage 2.0]]. This is one of the few codebases shared with iBoot/SecureROM, and is why the bug was portable to the Nano bootroms. == DFU mode == The DFU mode codebase seems to be different from the iBoot/SecureROM codebase, with very little code shared (perhaps apart from low-level DesignWare HS OTG register access code). There are no iBoot-like tasks present, the heap is very minimalistic (bitmap based, so no unlink/house of $x heap attacks), and the entire data transfer is effectively performed in poll/synchronous mode (with all transfers initiated via USB DMA directly into temporary receive buffers). The difference between the Nano and SecureROM bootrom codebases seem to be the main cause of none of the SecureROM USB exploits working (steaks4uce, usb_control_msg(0xa1, 1), checkm8, etc. However, a full pass over the USB codepaths is still yet to be performed, other vulnerabilities are likely to exist. 21b1f74133c89519044e445cbb38ba37e75a855a 21974 21972 2023-01-09T16:24:43Z Q3k 6232 wikitext text/x-wiki == Introduction == The iPod bootrom is different from the iBoot/SecureROM bootrom present on iOS-based devices. This is true even for iOS/non-iOS devices that share the same SoC, eg. the iPod touch 2G and Nano 4G (both of which are based around an S5L8720). The reverse engineering efforts below have been based on a ROM extract from a Nano 4G with the following SHA256 sum: 9cc05fb83024c9d51fd31c97a137447ce5ea87fe7cefba7b9aa6d54609bfbafb . == BootROM functionality == The BootROM can perform the following actions: # Boot from NAND flash (via built-in flash translation layer implementation) # Boot from some other unknown storage (NOR? Although NOR is not present on the N4G...) # Boot from USB DFU mode. The mode is selected based on straps, pressed buttons and mode priorities (first NAND or 'NOR' is performed, then DFU). All three boot paths end up performing the same [[IMG1|image]] verification steps: # Load image into memory at beginning of SRAM. # Verify image header ([[IMG1]] 2.0): perform SHA1 then AES of first 0x40 bytes, compare against stored sum. # Parse footer certificates and verify footer signature against body (undocumented). # Decrypt and jump into body. == Certificate parsing == The certificate parsing code is subject to [[Pwnage 2.0]]. This is one of the few codebases shared with iBoot/SecureROM, and is why the bug was portable to the Nano bootroms. == DFU mode == The DFU mode codebase seems to be different from the iBoot/SecureROM codebase, with very little code shared (perhaps apart from low-level DesignWare HS OTG register access code). There are no iBoot-like tasks present, the heap is very minimalistic (bitmap based, so no unlink/house of $x heap attacks), and the entire data transfer is effectively performed in poll/synchronous mode (with all transfers initiated via USB DMA directly into temporary receive buffers). The difference between the Nano and SecureROM bootrom codebases seem to be the main cause of none of the SecureROM USB exploits working (steaks4uce, usb_control_msg(0xa1, 1), checkm8, etc. However, a full pass over the USB codepaths is still yet to be performed, other vulnerabilities are likely to exist. The USB codebase of the DFU is where the [[WInd3x|wInd3x]] bug lives. 44e51ca1609f3f4142b946d257edfbc83b36d60c 0 6433 21973 2023-01-09T16:23:16Z Q3k 6232 Q3k moved page [[S5L8720 Bootrom]] to [[Bootrom]] wikitext text/x-wiki #REDIRECT [[Bootrom]] 4263c6c10d71de14400c43dbef4f24d59038bc72 0 193 21976 3317 2023-01-09T16:26:26Z Q3k 6232 wikitext text/x-wiki The Nano 2G (and above) uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). The following has been reverse-engineered from the Nano 2G implementation of the FTL, but is likely accurate for subsequent releases. == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 7ef2dd3c4d8a3f3fd11c9f17918a1445a8d06cfa 21977 21976 2023-01-09T16:26:32Z Q3k 6232 Q3k moved page [[Nano2G FTL]] to [[FTL]] wikitext text/x-wiki The Nano 2G (and above) uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). The following has been reverse-engineered from the Nano 2G implementation of the FTL, but is likely accurate for subsequent releases. == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; 7ef2dd3c4d8a3f3fd11c9f17918a1445a8d06cfa 21979 21977 2023-01-09T16:26:48Z Q3k 6232 wikitext text/x-wiki The Nano 2G (and above) uses an FTL (Flash Translation Layer) from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version. The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer). The following has been reverse-engineered from the Nano 2G implementation of the FTL, but is likely accurate for subsequent releases. == Terminology == * Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages. * Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad. * Physical page (pPage): A physical page number on the flash. * The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.) * Hyperblock: One block across all banks. * System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below. * System pages: All the pages in the system hyperblocks. == On-Flash layout == (assuming that all pages are good, part of it might be moved if there are bad pages, which is not fully understood yet.) ____________________________________________________ | Block 0: Signature | |----------------------------------------------------| | 4 VFL context blocks | |----------------------------------------------------| | Spare blocks for remapping | |----------------------------------------------------| | Virtual blocks (directly mapped) | |- - - - - - - - - - - - - --------------------------| | Last few virtual blocks, | | | always marked as bad to | Low level signature | | protect overlapping low | and BBT blocks | | level BBT and signature | | |__________________________|_________________________| == The lowlevel BBT == This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ... == The VFL == The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context. When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps. Each bank has its own independent VFL. === VFL context === /* Keeps the state of the bank's VFL, both on flash and in memory. There is one of these per bank. */ struct ftl_vfl_cxt_type { /* Cross-bank update sequence number, incremented on every VFL context commit on any bank. */ uint32_t usn; /* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts in order to be able to find the most recent FTL context copy when mounting the FTL. The VFL context number this will be written to on an FTL context commit is chosen semi-randomly. */ uint16_t ftlctrlblocks[3]; /* Alignment to 32 bits */ uint8_t field_A[2]; /* Decrementing update counter for VFL context commits per bank */ uint32_t updatecount; /* Number of the currently active VFL context block, it's an index into vflcxtblocks. */ uint16_t activecxtblock; /* Number of the first free page in the active VFL context block */ uint16_t nextcxtpage; /* Seems to be unused */ uint8_t field_14[4]; /* Incremented every time a block erase error leads to a remap, but doesn't seem to be read anywhere. */ uint16_t field_18; /* Number of spare blocks used */ uint16_t spareused; /* pBlock number of the first spare block */ uint16_t firstspare; /* Total number of spare blocks */ uint16_t sparecount; /* Block remap table. Contains the vBlock number the n-th spare block is used as a replacement for. 0 = unused, 0xFFFF = bad. */ uint16_t remaptable[0x334]; /* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad. If the entry is zero, you should look at the remap table to see if the block is remapped, and if yes, where the replacement is. */ uint8_t bbt[0x11A]; /* pBlock numbers used to store the VFL context. This is a ring buffer. On a VFL context write, always 8 pages are written, and it passes if at least 4 of them can be read back. */ uint16_t vflcxtblocks[4]; /* Blocks scheduled for remapping are stored at the end of the remap table. This is the first index used for them. */ uint16_t scheduledstart; /* Probably padding */ uint8_t field_7AC[0x4C]; /* First checksum (addition) */ uint32_t checksum1; /* Second checksum (XOR), there is a bug in whimory regarding this. */ uint32_t checksum2; } __attribute__((packed)); === VFL mounting procedure === * Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18. * Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT. * Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it. * Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN. * Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context. * Verify the VFL context checksum === vPage read procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be read, and the code will return if the read was successful. * If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping. === vPage write procedure === * First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block) * The resulting pPage will be written, and the code will return if the write was successful. * If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success. * If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping. === vBlock erase procedure === * First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it. * If remapping is scheduled for the pBlock, remap it. * Remove one problem point from that pBlock, if there are some. * Follow the pBlock remapping, if it exists. * Erase the pBlock (up to 3 tries, if needed). * If all 3 tries failed: ** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it) ** Remap the pBlock and commit the VFL context. ** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it. === VFL context update procedure === * Yet to be documented === VFL context checksums === /* Calculates the checksums for the VFL context page of the specified bank */ void ftl_vfl_calculate_checksum(uint32_t bank, uint32_t* checksum1, uint32_t* checksum2) { uint32_t i; *checksum1 = 0xAABBCCDD; *checksum2 = 0xAABBCCDD; for (i = 0; i < 0x1FE; i++) { *checksum1 += ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; *checksum2 ^= ((uint32_t*)(&ftl_vfl_cxt[bank]))[i]; } } /* Checks if the checksums of the VFL context of the specified bank are correct */ uint32_t ftl_vfl_verify_checksum(uint32_t bank) { uint32_t checksum1, checksum2; ftl_vfl_calculate_checksum(bank, &checksum1, &checksum2); if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0; /* The following line is pretty obviously a bug in Whimory, but we do it the same way for compatibility. */ if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0; return 1; } == The FTL == The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling. === FTL Context === /* Keeps the state of the FTL, both on flash and in memory */ struct ftl_cxt_type { /* Update sequence number of the FTL context, decremented every time a new revision of FTL meta data is written. */ uint32_t usn; /* Update sequence number for user data blocks. Incremented every time a portion of user pages is written, so that a consistency check can determine which copy of a user page is the most recent one. */ uint32_t nextblockusn; /* Count of currently free pages in the block pool */ uint16_t freecount; /* Index to the first free hyperblock in the blockpool ring buffer */ uint16_t nextfreeidx; /* This is a counter that is used to better distribute block wear. It is incremented on every block erase, and if it gets too high (300 on writes, 20 on sync), the most and least worn hyperblock will be swapped (causing an additional block write) and the counter will be decreased by 20. */ uint16_t swapcounter; /* Ring buffer of currently free hyperblocks. nextfreeidx is the index to freecount free ones, the other ones are currently allocated for scattered page hyperblocks. */ uint16_t blockpool[0x14]; /* Alignment to 32 bits */ uint16_t field_36; /* vPages where the block map is stored */ uint32_t ftl_map_pages[8]; /* Probably additional map page number space for bigger chips */ uint8_t field_58[0x28]; /* vPages where the erase counters are stored */ uint32_t ftl_erasectr_pages[8]; /* Seems to be padding */ uint8_t field_A0[0x70]; /* Pointer to ftl_map used by Whimory, not used by us */ uint32_t ftl_map_ptr; /* Pointer to ftl_erasectr used by Whimory, not used by us */ uint32_t ftl_erasectr_ptr; /* Pointer to ftl_log used by Whimory, not used by us */ uint32_t ftl_log_ptr; /* Flag used to indicate that some erase counter pages should be committed because they were changed more than 100 times since the last commit. */ uint32_t erasedirty; /* Seems to be unused */ uint16_t field_120; /* vBlocks used to store the FTL context, map, and erase counter pages. This is also a ring buffer, and the oldest page gets swapped with the least used page from the block pool ring buffer when a new one is allocated. */ uint16_t ftlctrlblocks[3]; /* The last used vPage number from ftlctrlblocks */ uint32_t ftlctrlpage; /* Set on context sync, reset on write, so obviously never zero in the context written to the flash */ uint32_t clean_flag; /* Seems to be unused, but gets loaded from flash by Whimory. */ uint8_t field_130[0x15C]; } __attribute__((packed)); === FTL mounting procedure === * Make sure the VFLs are mounted * Get the FTL context vBlock numbers from the most-recently updated VFL context * Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page. * Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown. * Read the block map and erase counter pages pointed to by the FTL context * Initialize the scattered page, problem log and erase counter dirt information. === lPage read procedure === * Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block. * If there is a scattered page entry for the lBlock, that contains the requested page, use that instead. * Read the vPage * If it was unprogrammed, return an all-zero result. * If there was an error, zero the result and return an error. === lPage write procedure === * Yet to be documented === FTL sync/shutdown procedure === * Yet to be documented === FTL context update procedure === * Yet to be documented == Error handling == * Yet to be documented == Scattered page blocks == * Yet to be documented == Page metadata (spare bytes) == /* Layout of the spare bytes of each page on the flash */ union ftl_spare_data_type { /* The layout used for actual user data (types 0x40 and 0x41) */ struct ftl_spare_data_user_type { /* The lPage, i.e. Sector, number */ uint32_t lpn; /* The update sequence number of that page, copied from ftl_cxt.nextblockusn on write */ uint32_t usn; /* Seems to be unused */ uint8_t field_8; /* Type field, 0x40 (data page) or 0x41 (last data page of hyperblock) */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) user; /* The layout used for meta data (other types) */ struct ftl_spare_data_meta_type { /* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */ uint32_t usn; /* Index of the thing inside the page, for example number / index of the map or erase counter page */ uint16_t idx; /* Seems to be unused */ uint8_t field_6; /* Seems to be unused */ uint8_t field_7; /* Seems to be unused */ uint8_t field_8; /* Type field: 0x43: FTL context page 0x44: Block map page 0x46: Erase counter page 0x47: "FTL is currently mounted", i.e. unclean shutdown, mark 0x80: VFL context page */ uint8_t type; /* ECC mark, usually 0xFF. If an error occurred while reading the page during a copying operation earlier, this will be 0x55. */ uint8_t eccmark; /* Seems to be unused */ uint8_t field_B; /* ECC data for the user data */ uint8_t dataecc[0x28]; /* ECC data for the first 0xC bytes above */ uint8_t spareecc[0xC]; } __attribute__((packed)) meta; }; bf5321a8458509d38fa67900c59cc86ca66a9ce8 0 6434 21978 2023-01-09T16:26:32Z Q3k 6232 Q3k moved page [[Nano2G FTL]] to [[FTL]] wikitext text/x-wiki #REDIRECT [[FTL]] b2f7ecefbab8f0c03777ae7fc1ac102be97b58b5 0 323 21983 4106 2023-01-09T16:35:08Z Q3k 6232 wikitext text/x-wiki {{Template:Outdated|reason=emCORE has been abandoned. Bootloader duties are now handled by [[U-Boot]]. The target OS is likely going to be Rockbox and/or Linux.}} ==emCORE kernel== emCORE is a lightweight alternative operating system for iPods (and possibly other devices one day). ===Features=== * Preemptive multitasking * Can run multiple independent apps at the same time * Shared library support * USB debugging API * FAT32 file system access * LCD text console and graphics API * Can run other kernels (such as [http://www.rockbox.org/ Rockbox]) through a kexec-like interface * ~75KB executable size, ~110KB RAM usage (plus LCD frame buffer) ==emCORE boot menu== When emCORE is installed, the emCORE boot menu is installed as the default autostart app. Depending on the device it offers various boot options. ==emCORE fastboot== [[Fastboot]] was an emCORE application that was used to launch [http://www.rockbox.org/ Rockbox] or OF instantly when the iPod turns on. It is now discontinued, and its functionality is moved to the Boot menu. ==emCOREFS== [[emCOREFS]] is a filesystem wrapper around [[EmCORE_Monitor_Protocol|emCORE's Monitor Protocol]] that uses [http://libusb.org/wiki/libusb-1.0 libusb 1.0] to connect to a device running emCORE and [http://fuse.sourceforge.net/ FUSE] to mount its storage in a directory. ==Installation instructions== There's an installation wizard available on [[EmCORE Installation|this page]]. ==Uninstallation instructions== There's an uninstallation wizard available on [[EmCORE Uninstallation|this page]]. 151e8a8747df48130d0bf87429746c908c7721f7 0 116 21984 4065 2023-01-09T16:36:08Z Q3k 6232 wikitext text/x-wiki {{outdated|reason=[[WInd3x|wInd3x]] is now the main tool used by developers to experiment with iPods.}} [[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]] The two iBugger utilities use a Python script that handles USB communication with the iPod. ===iBugger Loader=== iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://theseven.freemyipod.org/download/snapshot-201003100612-public.7z here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code. You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos. ===iBugger (Core)=== [[File:iBL_logo.jpg|150px|thumb|right|iBugger]] iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB. Current features are: * Up- and downloading memory regions * Executing uploaded code * Dumping the processor's registers * Halting the program and showing/modifying registers and/or memory contents * Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred * Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side) * Very little changes needed to the code being debugged, to allow running it in iBugger There are iBugger releases for the 2G and 4G Nanos. 5453f621983ba71ff26fdda93c303a2158f70776 0 146 21985 3834 2023-01-09T16:36:35Z Q3k 6232 wikitext text/x-wiki {{outdated|reason=[[U-Boot]] is the current approach for starting custom firmware on iPods.}} 0716cfc3f2420b8ca50ece7753a5d4cadd3204f4 0 6432 21986 21948 2023-01-09T16:38:04Z Q3k 6232 wikitext text/x-wiki == U-Boot Port == An experimental U-Boot port for the iPod Nano 5G lives at https://github.com/freemyipod/u-boot/tree/n5g-wip . It can be started using [[wInd3x]] and will start up a CDC-ACM serial console over USB for debugging purposes. Currently it has no storage driver. The current port expects to be loaded in place of [[OSOS]], eg. by packaging it into an IMG1 and sending it to [[WTF]]. This is what wInd3x does. This way, U-Boot does not have to do any of the 'annoying' early boot stuff like bringing up DRAM. === Building === make nano5g_defconfig make CROSS_COMPILE=arm-none-eabi- === Running === After building, connect your iPod Nano 5G in [[Modes|DFU Mode]] and use [[wInd3x]] to start U-Boot: ./wInd3x cfw run u-boot.bin When successfully started, U-Boot will then enumerate as a CDC-ACM device, eg. appear as /dev/ttyACM0 on Linux hosts. You can use <code>screen /dev/ttyACM0</code> to connect to the console and experiment with the U-Boot console. 537334492a48e5dbf881b283130e8fb91ed4fead 22017 21986 2023-02-19T12:28:07Z Q3k 6232 wikitext text/x-wiki == U-Boot Port == An experimental U-Boot port for the iPod Nano 5G lives at https://github.com/freemyipod/u-boot/tree/n5g-wip . It can be started using [[wInd3x]] and will start up a CDC-ACM serial console over USB for debugging purposes. Currently it has no storage driver. The current port expects to be loaded in place of [[OSOS]], eg. by packaging it into an IMG1 and sending it to [[WTF]]. This is what wInd3x does. This way, U-Boot does not have to do any of the 'annoying' early boot stuff like bringing up DRAM. === Building === make nano5g_defconfig make CROSS_COMPILE=arm-none-eabi- === Running === After building, connect your iPod Nano 5G in [[Modes|DFU Mode]] and use [[wInd3x]] to start U-Boot: ./wInd3x cfw run u-boot.bin When successfully started, U-Boot will then enumerate as yet another DFU device, this time ready to receive an U-Boot compatible image. You can load an image using dfu-util: dfu-util -d 05ac:2137 -D foo -R Note the <code>-R</code>: this is needed to get U-Boot to exit DFU mode and actually execute the image. fa00ee3f3e99b6463693d16c938f14b1fd0920ff 0 6435 21987 2023-01-09T16:47:59Z Q3k 6232 Created page with "== S5L87xx iPod Boot Process == This summarizes the boot process of Samsung S5L87XX based iPods (Nano 3G+, Classic). === BootROM === The S5L87xx SoC starts executing the ..." wikitext text/x-wiki == S5L87xx iPod Boot Process == This summarizes the boot process of Samsung S5L87XX based iPods (Nano 3G+, Classic). === BootROM === The S5L87xx SoC starts executing the [[Bootrom]] at power up. The BootROM mainly lives at 0x20000000, but is also mapped to 0x00000000 as that's where the ARM core expects interrupt vectors to be present. The BootROM does the bare minimum to load a second stage: set up stacks/modes, bring up PLLs, and opens clock gates for AES/NAND/NOR/USB as needed. The bootROM then checks a few conditions (like GPIO, probably set by the clickwheel controler) to decide what to do next: # Load a second stage bootloader from NOR # Load a second stage bootloader from NAND # Start DFU mode over USB Starting DFU mode is also the fail-safe mode that the BootROM will run if other boot methods fail. The second-stage bootloader (loaded as an [[IMG1]]) is signature checked, decrypted, and executed. === Second Stage Bootloader (bootloader / WTF) === When loaded from NAND/NOR this bootloader is referred to as 'bootloader'. When loaded over DFU during recovery more, it's called 'WTF'. They are pretty much the same codebase, with slight differences in the 'main' flow of booting the next stage. The bootloader/WTF images are based around EFI, and thus quite modular. When further booting another EFI-based payload, eg. Diags, the bootloader/WTF's EFI interfaces are also available to the latter stage. This stage initializes a bunch of peripherals/subsystems, like DRAM, the LCD, UART, the interrupt controller(s), [[FTL]], ... Depending on the implementation (WTF vs. bootloader), pressed keys and other unknown conditions it will either continue booting [[OSOS]] (or diagnostics/disk mode/aupd) from NAND or go into another USB DFU mode. The WTF by default goes into USB DFU. This permits another [[IMG1]] being loaded and executed. As with the BootROM, the bootloader/DFU perform IMG1 signature checking and decryption. 71da04cc8b600a378b4064593e28f2a7bee78247 0 50 21988 21980 2023-01-09T16:48:14Z Q3k 6232 /* Reverse engineering results */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == What can I do with my iPod Nano 2/3/4/5/6/7? == Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 98e8ff6ebb2286ac0c4d2887eaef45c6f8bf5f2b 21989 21988 2023-01-09T16:50:03Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod Nano 2 or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod Nano 3/4/5 and iPod Classic? === Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. === What can I do with my iPod Nano 6/7? === Nothing, other than helping us find vulnerabilities to get code execution on them. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 7483282943982de5254824d5306aa3d8786028a2 21993 21989 2023-01-14T01:36:45Z User890104 124 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod Nano 2, iPod Classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod Nano 3/4/5? === Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's an early effort to port the Linux kernel to devices supported by wInd3x. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. === What can I do with my iPod Nano 6/7? === Nothing, other than helping us find vulnerabilities to get code execution on them. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} c3af1e935dbc40174b4a088e63eb21ed9825b0c4 21995 21993 2023-01-20T19:26:58Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod Nano 2, iPod Classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod Nano 3/4/5? === Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. === What can I do with my iPod Nano 6/7? === Nothing, other than helping us find vulnerabilities to get code execution on them. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[OSOS]] *** [[OSOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 0ea74afc203d5f80a63103bbd37c2842d5c693a2 22002 21995 2023-02-12T14:13:04Z Q3k 6232 /* Reverse engineering results */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod Nano 2, iPod Classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod Nano 3/4/5? === Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. === What can I do with my iPod Nano 6/7? === Nothing, other than helping us find vulnerabilities to get code execution on them. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 5c95dc204df11bc06425402158215d781f8d29dc 0 121 21990 21966 2023-01-09T16:51:31Z Q3k 6232 wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. This is mostly a summary of reverse engineering and 'janitorial' work required to run end-user software like Rockbox or Linux. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G|"Nano" 6G]]<ref name="nano6g7g"/> !! [[Nano 7G|"Nano" 7G]]<ref name="nano6g7g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Tethered'''</span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:red">'''No'''<ref name="newexploit"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware decryption | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[U-Boot]] | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Boot [[OSOS]] | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="newexploit">We need a new exploit to execute code on this device.</ref> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">The "Nano" 6G and 7G are something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how these devices works and if we want to do something with them at all.</ref> <ref name="tethered">Nano 5G support is implemented in a tethered fashion via wInd3x, where we re-use parts of the original Apple boot chain which negates the need of some features.</ref> </references> 412654a64488507bfae13875f8d1885ea78165c2 0 54 21991 3927 2023-01-09T16:53:14Z Q3k 6232 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! size !! Utility flash !! size |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41856 SST39WF400A] |512kB |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] |32MB |[http://www.sst.com/products/?inode=41422 SST39WF800A] |1MB |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |32MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Nano 4G]] |S5L8720 |Integrated |32MB |? |? |- |[[Nano 5G]] |S5L8730 |Integrated |64MB |? |? |- |[[Nano 6G|Nano 6G]] |S5L8723 |Integrated |64MB |? |? |- |[[Nano 6G|Nano 7G]] |S5L8740 |Integrated |? |? |? |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X51163PE] |64MB |[http://www.sst.com/products/?inode=41340 SST25VF080B] |1MB |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx Additional information *http://dendrites.blog.163.com/blog/static/165376178201082112922174/ 73768b564e3e8afe016afbb096fff2c596addd2d 22020 21991 2023-02-23T17:06:28Z Q3k 6232 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! NOR/Utility Flash !! Codename |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41856 SST39WF400A] (512KiB) | |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41422 SST39WF800A] (1MiB) | |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (32MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | |- |[[Nano 4G]] |S5L8720 |Integrated (32MiB) | ''none'' | N58 |- |[[Nano 5G]] |S5L8730 |Integrated (64MiB) | ''none'' | N33 |- |[[Nano 6G|Nano 6G]] |S5L8723 |Integrated | ''none'' | N20 |- |[[Nano 7G|Nano 7G]] |S5L8740 |Integrated | ''none'' | N31 |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X51163PE] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx Additional information *http://dendrites.blog.163.com/blog/static/165376178201082112922174/ 59f15fe43bbf8f69e388b9748a6532e71eb12f19 22021 22020 2023-02-23T17:32:12Z Q3k 6232 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! NOR/Utility Flash !! Codename |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41856 SST39WF400A] (512KiB) | |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41422 SST39WF800A] (1MiB) | |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (32MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | N46 |- |[[Nano 4G]] |S5L8720 |Integrated (32MiB) | ''none'' | N58 |- |[[Nano 5G]] |S5L8730 |Integrated (64MiB) | ''none'' | N33 |- |[[Nano 6G|Nano 6G]] |S5L8723 |Integrated | ''none'' | N20 |- |[[Nano 7G|Nano 7G]] |S5L8740 |Integrated | ''none'' | N31 |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X51163PE] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx Additional information *http://dendrites.blog.163.com/blog/static/165376178201082112922174/ 48ecbe22f6d791f313e9f975fb77901adb7f1298 22023 22021 2023-02-25T20:30:02Z Q3k 6232 Add UpdaterFamilyID wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! NOR/Utility Flash !! Codename !! UpdaterFamilyID |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41856 SST39WF400A] (512KiB) | | |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41422 SST39WF800A] (1MiB) | | |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (32MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | N46 | 26 |- |[[Nano 4G]] |S5L8720 |Integrated (32MiB) | ''none'' | N58 | 31 |- |[[Nano 5G]] |S5L8730 |Integrated (64MiB) | ''none'' | N33 | 34 |- |[[Nano 6G|Nano 6G]] |S5L8723 |Integrated | ''none'' | N20 | 36 |- |[[Nano 7G|Nano 7G]] |S5L8740 |Integrated | ''none'' | N31 | 37 |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | | |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | | |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X51163PE] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | | |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx Additional information *http://dendrites.blog.163.com/blog/static/165376178201082112922174/ cde37a090f07976608c96d971da7dd483a739bc2 22024 22023 2023-02-25T20:31:37Z Q3k 6232 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! CPU !! RAM !! NOR/Utility Flash !! Codename !! UpdaterFamilyID |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41856 SST39WF400A] (512KiB) | | |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41422 SST39WF800A] (1MiB) | | |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (32MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | N46 | 26 |- |[[Nano 4G]] |S5L8720 |Integrated (32MiB) | ''none'' | N58 | 31 |- |[[Nano 5G]] |S5L8730 |Integrated (64MiB) | ''none'' | N33 | 34 |- |[[Nano 6G|Nano 6G]] |S5L8723 |Integrated | ''none'' | N20 | 36 |- |[[Nano 7G|Nano 7G]] |S5L8740 |Integrated (64MiB) | ''none'' | N31 | 37 |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | | |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | | |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X51163PE] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | | |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx Additional information *http://dendrites.blog.163.com/blog/static/165376178201082112922174/ 55225f76a1642f39489cad15f1c26f75a3278b55 22025 22024 2023-02-25T22:37:04Z Q3k 6232 wikitext text/x-wiki This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link. {| class="wikitable" ! Generation !! SoC !! RAM !! NOR/Utility Flash !! Codename !! UpdaterFamilyID |- |[[Nano 1G]] |PP5021C-TDF |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41856 SST39WF400A] (512KiB) | | |- |[[Nano 2G]] |S5L8701 |[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&partnum=K4M56163PG K4M56163PG] (32MiB) |[http://www.sst.com/products/?inode=41422 SST39WF800A] (1MiB) | | |- |[[Nano 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (32MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | N46 | 26 |- |[[Nano 4G]] |S5L8720 |Integrated (32MiB) | ''none'' | N58 | 31 |- |[[Nano 5G]] |S5L8730 |Integrated (64MiB) | ''none'' | N33 | 34 |- |[[Nano 6G|Nano 6G]] |S5L8723 |Integrated | ''none'' | N20 | 36 |- |[[Nano 7G|Nano 7G]] |S5L8740 |Integrated (64MiB) | ''none'' | N31 | 37 |- |[[Classic 1G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | | |- |[[Classic 2G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | | |- |[[Classic 3G]] |S5L8702 |[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X51163PE] (64MiB) |[http://www.sst.com/products/?inode=41340 SST25VF080B] (1MiB) | | |} Concerning the detailed generation pages: If you can prove or disprove any of these chip names, please let us know: [[Contact]] ==Helpful pages== Chip analyses *http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx *http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx Additional information *http://dendrites.blog.163.com/blog/static/165376178201082112922174/ f989c5bbbfc7267a84c17b5bb66779aff5dbb59f 0 259 21992 21955 2023-01-09T17:23:45Z User890104 124 wikitext text/x-wiki There are various ways to contact the freemyipod team. Please do '''not''' contact us about any iOS device like iPod touch. We don't do anything with them nor can we help you with anything on these devices. == IRC == We have an IRC channel on [https://libera.chat/ Libera]. * You can join it on [ircs://irc.libera.chat/freemyipod #freemyipod]. (Web client [https://web.libera.chat/?channels=#freemyipod here]) IRC logs are available, please check https://logs.freemyipod.org for the logfiles. They might not be up-to-date, and automatic sync is planned. If you have questions about rockbox that are not iPod related, please look for support at [https://www.rockbox.org/ rockbox.org] and if you happen to have any question related to the original iPod firmware please ask elsewhere. == Matrix == The IRC channel above is bridged to [https://matrix.to/#/#freemyipod:hackerspace.pl #freemyipod:hackerspace.pl] on Matrix. == Discord == While not an official channel for support, you can find others interested in iPod Nano/Classic development in the [https://discord.gg/7PnGEXjW3X iPod Nano Hacking discord server]. == Mailing lists == We used to have mailing lists, but they are not operational anymore. == Mail == We used to have individual mailboxes for project members, but they are not operational anymore. 9e77e13a0c9bc2ff0520c7a173aed6d92360ce24 0 6436 21994 2023-01-20T19:26:10Z Q3k 6232 Created page with " == Current: Freemyipod Linux == We are working on supporting Samsung/S5L-based devices which have an MMU. Currently our main focus is the [[Nano 5G]], and an experimental so..." wikitext text/x-wiki == Current: Freemyipod Linux == We are working on supporting Samsung/S5L-based devices which have an MMU. Currently our main focus is the [[Nano 5G]], and an experimental source tree is available on [https://github.com/freemyipod/linux github.com/freemyipod/linux]. === User Guide === Not yet available, as the Linux port isn't yet practical to use. We have no storage drivers, no screen driver, no sound driver... === Developer Guide === If you're somewhat familiar with embedded Linux, you can get started on the Nano 5G by building [[WInd3x|wInd3x]], [[U-Boot]] and the Kernel as described below. However, '''you will have to provide your own userland''' (eg. buildroot, archlinux arm, ... anything armv6 compatible) and either run it from an initramfs or over NFS. '''A serial cable is currently necessary to get everything running.''' ==== Build everything ==== ''These are not copy-paste instructions. You are expected to understand what's happening.' You will need an arm-none-eabi- toolchain into your $PATH, eg. gcc-arm-embedded from your package manager. First, wInd3x: this will be used to run u-boot. $ git clone https://github.com/freemyipod/wInd3x $ cd wInd3x $ go build ./ Second, U-Boot: $ git clone https://github.com/freemyipod/u-boot $ cd u-boot $ git checkout n5g-wip $ make nano5g_defconfig $ make CROSS_COMPILE=arm-none-eabi- u-boot.bin Third, Linux: $ git clone https://github.com/freemyipod/linux $ cd linux $ git checkout n5g-wip $ make ARCH=arm nano5g_defconfig $ make ARCH=arm CROSS_COMPILE=arm-none-eabi- -j 32 uImage By this point, have a initramfs ready. If you wanna boot directly from nfs, edit CMDLINE in the kernel .config accordingly. Finally, bundle together an u-boot image containing the kernel, your initramfs, and the device-tree (built by u-boot): $ mkimage -A arm -C none -O linux -T multi -a 0x08000000 -e 0x08000000 -d arch/arm/boot/zImage:initramfs.gz:../u-boot/arch/arm/dts/s5l8730.dtb mImage ''mImage'' is your combined image. ==== Running ==== Connect your Nano 5G in DFU mode. Run u-boot using wInd3x: $ ./wInd3x cfw run ../u-boot/u-boot.bin This should start u-boot. Running this for the first time will take a while, as some bootloader stages need to be downloaded, decrypted and modified. Once it's done, over serial (baudrate 115200), you should now see: U-Boot 2023.01-rc4-q3k-00056-g47f65730fa-dirty (Jan 01 1980 - 00:00:00 +0000) CPU: Samsung/Apple S5L8730 Model: Apple iPod Nano 5G DRAM: 64 MiB Core: 5 devices, 5 uclasses, devicetree: separate MMC: Loading Environment from nowhere... OK In: serial@3cc00000 Out: serial@3cc00000 Err: serial@3cc00000 Net: No ethernet found. => Tell u-boot to start a DFU gadget so that you can load your ''mImage'': => dfu 0 ram 0 This will make a new USB device (05ac:2137) appear on your host. Use dfu-util to upload mImage: dfu-util -d 05ac:2137 -D linux/mImage Then, in the u-boot concole, as prompted, press Ctrl-C and then boot the mImage: #DOWNLOAD ... OK Ctrl+C to exit ... => bootm ## Booting kernel from Legacy Image at 08000000 ... ... Starting kernel ... [ 0.000000] Booting Linux on physical CPU 0x0 [ 0.000000] Linux version 6.2.0-rc4-00476-g4c4af4d7e53c (q3k@mimeomia) (arm-none-eabi-gcc (GNU Arm Embedded Toolchain 10.3-2021.10) 10.3.1 20210824 (release), GNU ld (GNU Arm Embedded Toolchain 10.3-2021.10) 2.36.1.20210621) #70 Fri Jan 20 18:02:56 CET 2023 ... If everything goes well, the kernel should boot up and attempt to mount a rootfs. It's up to you to get this part working, at least until we streamline the process. The USB CDC EEM ethernet gadget should also appear on your host (probably as usb0, or some long systemd predictable name). The other end will be visible as 'usb0' on the device. Now go on and have a go at reverse-engineering some peripherals! :) == Legacy: iPodLinux == The [http://www.ipodlinux.org/ iPodLinux] project supports all the PortalPlayer based iPods: iPod 1G-4G, Photo/Color, Video/5G/5.5G, Mini, iPod Nano 1G. It is currently semi-abandoned, and uses a very old ucLinux kernel build. e27c435c52e5dda36e6b7bd304c0af4c340b937a 21996 21994 2023-01-20T19:28:38Z Q3k 6232 wikitext text/x-wiki == Current: Freemyipod Linux == We are working on supporting Samsung/S5L-based devices which have an MMU. Currently our main focus is the [[Nano 5G]], and an experimental source tree is available on [https://github.com/freemyipod/linux github.com/freemyipod/linux]. === User Guide === Not yet available, as the Linux port isn't yet practical to use. We have no storage drivers, no screen driver, no sound driver... === Developer Guide === If you're somewhat familiar with embedded Linux, you can get started on the Nano 5G by building [[WInd3x|wInd3x]], [[U-Boot]] and the Kernel as described below. However, '''you will have to provide your own userland''' (eg. buildroot, archlinux arm, ... anything armv6 compatible) and either run it from an initramfs or over NFS. '''A serial cable is currently necessary to get everything running.''' ==== Build everything ==== ''These are not copy-paste instructions. You are expected to understand what's happening.' You will need an arm-none-eabi- toolchain into your $PATH, eg. gcc-arm-embedded from your package manager. First, wInd3x: this will be used to run u-boot. $ git clone https://github.com/freemyipod/wInd3x $ cd wInd3x $ go build ./ Second, U-Boot: $ git clone https://github.com/freemyipod/u-boot $ cd u-boot $ git checkout n5g-wip $ make nano5g_defconfig $ make CROSS_COMPILE=arm-none-eabi- u-boot.bin -j 32 Third, Linux: $ git clone https://github.com/freemyipod/linux $ cd linux $ git checkout n5g-wip $ make ARCH=arm nano5g_defconfig $ make ARCH=arm CROSS_COMPILE=arm-none-eabi- -j 32 zImage By this point, have a initramfs ready. If you wanna boot directly from nfs, edit CMDLINE in the kernel .config accordingly. Finally, bundle together an u-boot image containing the kernel, your initramfs, and the device-tree (built by u-boot): $ mkimage -A arm -C none -O linux -T multi -a 0x08000000 -e 0x08000000 -d arch/arm/boot/zImage:initramfs.gz:../u-boot/arch/arm/dts/s5l8730.dtb mImage ''mImage'' is your combined image. ==== Running ==== Connect your Nano 5G in DFU mode. Run u-boot using wInd3x: $ ./wInd3x cfw run ../u-boot/u-boot.bin This should start u-boot. Running this for the first time will take a while, as some bootloader stages need to be downloaded, decrypted and modified. Once it's done, over serial (baudrate 115200), you should now see: U-Boot 2023.01-rc4-q3k-00056-g47f65730fa-dirty (Jan 01 1980 - 00:00:00 +0000) CPU: Samsung/Apple S5L8730 Model: Apple iPod Nano 5G DRAM: 64 MiB Core: 5 devices, 5 uclasses, devicetree: separate MMC: Loading Environment from nowhere... OK In: serial@3cc00000 Out: serial@3cc00000 Err: serial@3cc00000 Net: No ethernet found. => Tell u-boot to start a DFU gadget so that you can load your ''mImage'': => dfu 0 ram 0 This will make a new USB device (05ac:2137) appear on your host. Use dfu-util to upload mImage: dfu-util -d 05ac:2137 -D linux/mImage Then, in the u-boot concole, as prompted, press Ctrl-C and then boot the mImage: #DOWNLOAD ... OK Ctrl+C to exit ... => bootm ## Booting kernel from Legacy Image at 08000000 ... ... Starting kernel ... [ 0.000000] Booting Linux on physical CPU 0x0 [ 0.000000] Linux version 6.2.0-rc4-00476-g4c4af4d7e53c (q3k@mimeomia) (arm-none-eabi-gcc (GNU Arm Embedded Toolchain 10.3-2021.10) 10.3.1 20210824 (release), GNU ld (GNU Arm Embedded Toolchain 10.3-2021.10) 2.36.1.20210621) #70 Fri Jan 20 18:02:56 CET 2023 ... If everything goes well, the kernel should boot up and attempt to mount a rootfs. It's up to you to get this part working, at least until we streamline the process. The USB CDC EEM ethernet gadget should also appear on your host (probably as usb0, or some long systemd predictable name). The other end will be visible as 'usb0' on the device. Now go on and have a go at reverse-engineering some peripherals! :) == Legacy: iPodLinux == The [http://www.ipodlinux.org/ iPodLinux] project supports all the PortalPlayer based iPods: iPod 1G-4G, Photo/Color, Video/5G/5.5G, Mini, iPod Nano 1G. It is currently semi-abandoned, and uses a very old ucLinux kernel build. 8387033011453ceb483e443ea60fb2ae2ffc8da9 22018 21996 2023-02-19T12:31:29Z Q3k 6232 wikitext text/x-wiki == Current: Freemyipod Linux == We are working on supporting Samsung/S5L-based devices which have an MMU. Currently our main focus is the [[Nano 5G]], and an experimental source tree is available on [https://github.com/freemyipod/linux github.com/freemyipod/linux]. === User Guide === Not yet available, as the Linux port isn't yet practical to use. We have no storage drivers, no screen driver, no sound driver... === Developer Guide === If you're somewhat familiar with embedded Linux, you can get started on the Nano 5G by building [[WInd3x|wInd3x]], [[U-Boot]] and the Kernel as described below. However, '''you will have to provide your own userland''' (eg. buildroot, archlinux arm, ... anything armv6 compatible) and either run it from an initramfs or over NFS. '''A serial cable is not necessary, but very useful to troubleshoot boot issues.''' ==== Build everything ==== ''These are not copy-paste instructions. You are expected to understand what's happening.' You will need an arm-none-eabi- toolchain into your $PATH, eg. gcc-arm-embedded from your package manager. First, wInd3x: this will be used to run u-boot. $ git clone https://github.com/freemyipod/wInd3x $ cd wInd3x $ go build ./ Second, U-Boot: $ git clone https://github.com/freemyipod/u-boot $ cd u-boot $ git checkout n5g-wip $ make nano5g_defconfig $ make CROSS_COMPILE=arm-none-eabi- u-boot.bin -j 32 Third, Linux: $ git clone https://github.com/freemyipod/linux $ cd linux $ git checkout n5g-wip $ make ARCH=arm nano5g_defconfig $ make ARCH=arm CROSS_COMPILE=arm-none-eabi- -j 32 zImage By this point, have a initramfs ready. If you wanna boot directly from nfs, edit CMDLINE in the kernel .config accordingly. Finally, bundle together an u-boot image containing the kernel, your initramfs, and the device-tree (built by u-boot): $ mkimage -A arm -C none -O linux -T multi -a 0x08000000 -e 0x08000000 -d arch/arm/boot/zImage:initramfs.gz:../u-boot/arch/arm/dts/s5l8730.dtb mImage ''mImage'' is your combined image. ==== Running ==== Connect your Nano 5G in DFU mode. Run u-boot using wInd3x: $ ./wInd3x cfw run ../u-boot/u-boot.bin This should start u-boot. Running this for the first time will take a while, as some bootloader stages need to be downloaded, decrypted and modified. A new USB device (05ac:2137) appear on your host. Use dfu-util to upload mImage: dfu-util -d 05ac:2137 -D linux/mImage -R Then, in the serial console you'll see Linux booting: ## Booting kernel from Legacy Image at 08000000 ... ... Starting kernel ... [ 0.000000] Booting Linux on physical CPU 0x0 [ 0.000000] Linux version 6.2.0-rc4-00476-g4c4af4d7e53c (q3k@mimeomia) (arm-none-eabi-gcc (GNU Arm Embedded Toolchain 10.3-2021.10) 10.3.1 20210824 (release), GNU ld (GNU Arm Embedded Toolchain 10.3-2021.10) 2.36.1.20210621) #70 Fri Jan 20 18:02:56 CET 2023 ... The LCD display should start up and show a boot log. If not, try adding <code>console=tty0</code> to your CMDLINE? You might also use <code>fbcon=rotate:1</code> to rotate the framebuffer 90 degrees. If everything goes well, the kernel should boot up and attempt to mount a rootfs. It's up to you to get this part working, at least until we streamline the process. The USB CDC EEM ethernet gadget should also appear on your host (probably as usb0, or some long systemd predictable name). The other end will be visible as 'usb0' on the device. Now go on and have a go at reverse-engineering some peripherals! :) == Legacy: iPodLinux == The [http://www.ipodlinux.org/ iPodLinux] project supports all the PortalPlayer based iPods: iPod 1G-4G, Photo/Color, Video/5G/5.5G, Mini, iPod Nano 1G. It is currently semi-abandoned, and uses a very old ucLinux kernel build. 477379b7c6673992e94bc2df418de3fb45795653 0 6426 21997 21942 2023-02-12T14:12:31Z Q3k 6232 wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == OSOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer OSOS bugs trivial. === Boot chain === OSOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, OSOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[OSOS_Options|Options]]. == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] 27566967adb45c32552ab5b9eb2ed6b2fb331a54 21998 21997 2023-02-12T14:12:40Z Q3k 6232 Q3k moved page [[OSOS]] to [[RetailOS]] wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == OSOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer OSOS bugs trivial. === Boot chain === OSOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, OSOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[OSOS_Options|Options]]. == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] 27566967adb45c32552ab5b9eb2ed6b2fb331a54 22003 21998 2023-02-12T14:13:48Z Q3k 6232 wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] 65dd606e6c1ad722938449c2bef1890308b685d5 22007 22003 2023-02-18T20:54:42Z Q3k 6232 wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Services / Syscalls === This table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | void KS_pend(SEMA sema) || 0x03 || Semaphore DONE -> PENDING. |- | RTXCMSG *KS_receive(MBOX mailbox, TASK task) || 0x05 || Receive from mailbox. |- | KSRC KS_enqueue[w](QUEUE queue, void *entry) || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | void KS_dequeue[w](QUEUE queue, void *dest) || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | void KS_execute(TASK task) || 0x15 || Start a task from its beginning address. |- | KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void)) || 0x16 || Define the attributes of an inactive task. |- | TASK KS_alloc_task(void) || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] f19c1b9e947c395dac0f6ca391d03b5f9ff5e3e5 22008 22007 2023-02-18T21:15:59Z Q3k 6232 /* Services / Syscalls */ wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Services / Syscalls === This table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_T KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | ??? || 0x25 || Used in RetailOS. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | ??? || 0x30 || Used in RetailOS. |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] ed3872c6f8c2e416cc26ce50c96ad6f37bc23ded 22009 22008 2023-02-18T21:26:36Z Q3k 6232 /* RTXC */ wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === This table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_T KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | ??? || 0x25 || Used in RetailOS. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | ??? || 0x30 || Used in RetailOS. |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] d8a694218a65c66e6ae1315c260546b9c1036709 22010 22009 2023-02-18T21:39:42Z Q3k 6232 /* Services / Syscalls */ wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === This table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | ??? || 0x30 || Used in RetailOS. |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] cd03711fb68a40873ea0117ddefa43177d097286 22011 22010 2023-02-18T21:43:08Z Q3k 6232 /* Services / Syscalls */ wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === This table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] 565e13bf31cf8cecee419e423b57042d1e9a2898 22012 22011 2023-02-18T21:45:33Z Q3k 6232 /* RTXC */ wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === This table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by RetailOS and not built into the service dispatcher. == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] 4cd1a2eeac7b7bd9aa949f85591c4193502beea5 22013 22012 2023-02-18T21:45:49Z Q3k 6232 /* RTXC */ wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === This table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by RetailOS and not built into the service dispatcher, at least on [[Nano 5G]]. == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] 7c7602193368abbfd1290814ac0b53b29ec7a9b9 22014 22013 2023-02-18T21:54:48Z Q3k 6232 /* RTXC */ wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === While RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering RetailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface. The dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code. Service functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking). The following table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by RetailOS and not built into the service dispatcher, at least on [[Nano 5G]]. == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] 3014498ef7c015810974a1842589800c6a6f406d 22015 22014 2023-02-19T11:31:39Z Q3k 6232 /* RTXC */ wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === While RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering RetailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface. The dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code. Service functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking). The following table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by RetailOS and not built into the service dispatcher, at least on [[Nano 5G]]. === Semaphores === The following semaphores are defined in the [[Nano 3G]] RetailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || <code>S_FW_PWR_CHANGE</code> || |- | 0x02 || <code>S_BAT_PWR_CHANGE</code> || |- | 0x03 || <code>S_USB_PWR_CHANGE</code> || |- | 0x04 || <code>S_CNA_CHANGE</code> || |- | 0x05 || <code>S_WHEEL_CHANGE</code> || |- | 0x06 || <code>S_DISKMGRQ</code> || |- | 0x07 || <code>S_TOPPLUG_SWITCH</code> || |- | 0x08 || <code>S_RTCTIMERMGR</code> || |- | 0x09 || <code>S_ALARM_01</code> || |- | 0x0a || <code>S_ALARM_02</code> || |- | 0x0b || <code>S_ALARM_03</code> || |- | 0x0c || <code>S_WATCHDOG</code> || |- | 0x0d || <code>S_CPUMGRQ</code> || |- | 0x0e || <code>S_PCFPOWERMGR</code> || |- | 0x0f || <code>S_POWER_STATE_AC</code> || |- | 0x10 || <code>S_CGR_STATE_TMR</code> || |- | 0x11 || <code>S_DEEPSLEEP</code> || |- | 0x12 || <code>S_ALARM_DONE</code> || |- | 0x13 || <code>S_PIEZOMGR</code> || |- | 0x14 || <code>S_PIEZOMGRSNDR</code> || |- | 0x15 || <code>S_PIEZODONE</code> || |- | 0x16 || <code>S_ACCPOWER</code> || |- | 0x17 || <code>S_ACC_REINIT</code> || |- | 0x18 || <code>S_TOPPLUGSENSER</code> || |- | 0x19 || <code>S_TOPPLUGCHANGE</code> || |- | 0x1a || <code>S_BTMCONNECT</code> || |- | 0x1b || <code>S_BTMPLUGCHANGE</code> || |- | 0x1c || <code>S_BTMREVERIFY</code> || |- | 0x1d || <code>S_BTMREVERTIMED</code> || |- | 0x1e || <code>S_BTMVERCOMP</code> || |- | 0x1f || <code>S_TOPACCPKTRCVD</code> || |- | 0x20 || <code>S_BTMACCPKTRCVD</code> || |- | 0x21 || <code>S_SERIALIDRCVD</code> || |- | 0x22 || <code>S_UARTATXEMPTY</code> || |- | 0x23 || <code>S_UARTBTXEMPTY</code> || |- | 0x24 || <code>S_HDDSCANCOMP</code> || |- | 0x25 || <code>S_BL_ON</code> || |- | 0x26 || <code>S_BL_OFF</code> || |- | 0x27 || <code>S_BL_RAMPDOWN</code> || |- | 0x28 || <code>S_BL_RAMPUP</code> || |- | 0x29 || <code>S_BL_TIMESUP</code> || |- | 0x2a || <code>S_BATT_TIMESUP</code> || |- | 0x2b || <code>S_BATT_AC_PWR</code> || |- | 0x2c || <code>S_BATT_TMR_RST</code> || |- | 0x2d || <code>S_GRAPHMGR</code> || |- | 0x2e || <code>S_VBL</code> || |- | 0x2f || <code>S_DTVRECOVERY</code> || |- | 0x30 || <code>S_CM_HEADPHONE</code> || |- | 0x31 || <code>S_CM_EXTPOWER</code> || |- | 0x32 || <code>S_CM_ACCATTACHED</code> || |- | 0x33 || <code>S_CM_DAC_SETUP</code> || |- | 0x34 || <code>S_ATAWRKLPRDY</code> || |- | 0x35 || <code>S_RTXCBUG</code> || |- | 0x36 || <code>S_BLOCKDEVICE</code> || |- | 0x37 || <code>S_BLOCKDEVICEQ</code> || |- | 0x38 || <code>S_DISPLAY</code> || |- | 0x39 || <code>S_ARB_READY</code> || |- | 0x3a || <code>S_I2C_DONE</code> || |- | 0x3b || <code>S_VSYNC</code> || |} There are three more semaphores (0x3c, 0x3d, 0x3e) that have no name defined and are likely unused. Anything 0x3f and up is a 'Dynamic' semaphore defined at runtime (which we haven't reversed yet). == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] c1e98ff7c958657b9504be5f6f1fdc6b58aac0ad 22016 22015 2023-02-19T11:35:49Z Q3k 6232 wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === While RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering RetailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface. The dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code. Service functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking). The following table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by RetailOS and not built into the service dispatcher, at least on [[Nano 5G]]. === Semaphores === The following semaphores are defined in the [[Nano 3G]] RetailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || <code>S_FW_PWR_CHANGE</code> || |- | 0x02 || <code>S_BAT_PWR_CHANGE</code> || |- | 0x03 || <code>S_USB_PWR_CHANGE</code> || |- | 0x04 || <code>S_CNA_CHANGE</code> || |- | 0x05 || <code>S_WHEEL_CHANGE</code> || |- | 0x06 || <code>S_DISKMGRQ</code> || |- | 0x07 || <code>S_TOPPLUG_SWITCH</code> || |- | 0x08 || <code>S_RTCTIMERMGR</code> || |- | 0x09 || <code>S_ALARM_01</code> || |- | 0x0a || <code>S_ALARM_02</code> || |- | 0x0b || <code>S_ALARM_03</code> || |- | 0x0c || <code>S_WATCHDOG</code> || |- | 0x0d || <code>S_CPUMGRQ</code> || |- | 0x0e || <code>S_PCFPOWERMGR</code> || |- | 0x0f || <code>S_POWER_STATE_AC</code> || |- | 0x10 || <code>S_CGR_STATE_TMR</code> || |- | 0x11 || <code>S_DEEPSLEEP</code> || |- | 0x12 || <code>S_ALARM_DONE</code> || |- | 0x13 || <code>S_PIEZOMGR</code> || |- | 0x14 || <code>S_PIEZOMGRSNDR</code> || |- | 0x15 || <code>S_PIEZODONE</code> || |- | 0x16 || <code>S_ACCPOWER</code> || |- | 0x17 || <code>S_ACC_REINIT</code> || |- | 0x18 || <code>S_TOPPLUGSENSER</code> || |- | 0x19 || <code>S_TOPPLUGCHANGE</code> || |- | 0x1a || <code>S_BTMCONNECT</code> || |- | 0x1b || <code>S_BTMPLUGCHANGE</code> || |- | 0x1c || <code>S_BTMREVERIFY</code> || |- | 0x1d || <code>S_BTMREVERTIMED</code> || |- | 0x1e || <code>S_BTMVERCOMP</code> || |- | 0x1f || <code>S_TOPACCPKTRCVD</code> || |- | 0x20 || <code>S_BTMACCPKTRCVD</code> || |- | 0x21 || <code>S_SERIALIDRCVD</code> || |- | 0x22 || <code>S_UARTATXEMPTY</code> || |- | 0x23 || <code>S_UARTBTXEMPTY</code> || |- | 0x24 || <code>S_HDDSCANCOMP</code> || |- | 0x25 || <code>S_BL_ON</code> || |- | 0x26 || <code>S_BL_OFF</code> || |- | 0x27 || <code>S_BL_RAMPDOWN</code> || |- | 0x28 || <code>S_BL_RAMPUP</code> || |- | 0x29 || <code>S_BL_TIMESUP</code> || |- | 0x2a || <code>S_BATT_TIMESUP</code> || |- | 0x2b || <code>S_BATT_AC_PWR</code> || |- | 0x2c || <code>S_BATT_TMR_RST</code> || |- | 0x2d || <code>S_GRAPHMGR</code> || |- | 0x2e || <code>S_VBL</code> || |- | 0x2f || <code>S_DTVRECOVERY</code> || |- | 0x30 || <code>S_CM_HEADPHONE</code> || |- | 0x31 || <code>S_CM_EXTPOWER</code> || |- | 0x32 || <code>S_CM_ACCATTACHED</code> || |- | 0x33 || <code>S_CM_DAC_SETUP</code> || |- | 0x34 || <code>S_ATAWRKLPRDY</code> || |- | 0x35 || <code>S_RTXCBUG</code> || |- | 0x36 || <code>S_BLOCKDEVICE</code> || |- | 0x37 || <code>S_BLOCKDEVICEQ</code> || |- | 0x38 || <code>S_DISPLAY</code> || |- | 0x39 || <code>S_ARB_READY</code> || |- | 0x3a || <code>S_I2C_DONE</code> || |- | 0x3b || <code>S_VSYNC</code> || |} There are three more semaphores (0x3c, 0x3d, 0x3e) that have no name defined and are likely unused. Anything 0x3f and up is a 'Dynamic' semaphore defined at runtime (which we haven't reversed yet). === Queues === The following queues are defined in the [[Nano 3G]] RetailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || PIXORESQ || |- | 0x02 || PIXOSEMAQ || |- | 0x03 || POSIXRESQ || |- | 0x04 || POSIXSEMAQ || |} === Mailboxes === The following mailboxes are defined in the [[Nano 3G]] RetailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || M_DISKMGR || |- | 0x02 || M_PIEZOMGR || |- | 0x03 || M_GRAPHMGR || |- | 0x04 || M_BLOCKDEVICE || |- | 0x05 || M_DISPLAY || |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] e3d88ce4cc8e434161c60114fffae56747973c1d 22019 22016 2023-02-19T16:14:13Z Q3k 6232 /* RTXC */ wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'RetailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial. === Boot chain === RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === While RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering RetailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface. The dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code. Service functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking). The following table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by RetailOS and not built into the service dispatcher, at least on [[Nano 5G]]. === Semaphores === The following semaphores are defined in the [[Nano 3G]] RetailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || <code>S_FW_PWR_CHANGE</code> || |- | 0x02 || <code>S_BAT_PWR_CHANGE</code> || |- | 0x03 || <code>S_USB_PWR_CHANGE</code> || |- | 0x04 || <code>S_CNA_CHANGE</code> || |- | 0x05 || <code>S_WHEEL_CHANGE</code> || |- | 0x06 || <code>S_DISKMGRQ</code> || |- | 0x07 || <code>S_TOPPLUG_SWITCH</code> || |- | 0x08 || <code>S_RTCTIMERMGR</code> || |- | 0x09 || <code>S_ALARM_01</code> || |- | 0x0a || <code>S_ALARM_02</code> || |- | 0x0b || <code>S_ALARM_03</code> || |- | 0x0c || <code>S_WATCHDOG</code> || |- | 0x0d || <code>S_CPUMGRQ</code> || |- | 0x0e || <code>S_PCFPOWERMGR</code> || |- | 0x0f || <code>S_POWER_STATE_AC</code> || |- | 0x10 || <code>S_CGR_STATE_TMR</code> || |- | 0x11 || <code>S_DEEPSLEEP</code> || |- | 0x12 || <code>S_ALARM_DONE</code> || |- | 0x13 || <code>S_PIEZOMGR</code> || |- | 0x14 || <code>S_PIEZOMGRSNDR</code> || |- | 0x15 || <code>S_PIEZODONE</code> || |- | 0x16 || <code>S_ACCPOWER</code> || |- | 0x17 || <code>S_ACC_REINIT</code> || |- | 0x18 || <code>S_TOPPLUGSENSER</code> || |- | 0x19 || <code>S_TOPPLUGCHANGE</code> || |- | 0x1a || <code>S_BTMCONNECT</code> || |- | 0x1b || <code>S_BTMPLUGCHANGE</code> || |- | 0x1c || <code>S_BTMREVERIFY</code> || |- | 0x1d || <code>S_BTMREVERTIMED</code> || |- | 0x1e || <code>S_BTMVERCOMP</code> || |- | 0x1f || <code>S_TOPACCPKTRCVD</code> || |- | 0x20 || <code>S_BTMACCPKTRCVD</code> || |- | 0x21 || <code>S_SERIALIDRCVD</code> || |- | 0x22 || <code>S_UARTATXEMPTY</code> || |- | 0x23 || <code>S_UARTBTXEMPTY</code> || |- | 0x24 || <code>S_HDDSCANCOMP</code> || |- | 0x25 || <code>S_BL_ON</code> || |- | 0x26 || <code>S_BL_OFF</code> || |- | 0x27 || <code>S_BL_RAMPDOWN</code> || |- | 0x28 || <code>S_BL_RAMPUP</code> || |- | 0x29 || <code>S_BL_TIMESUP</code> || |- | 0x2a || <code>S_BATT_TIMESUP</code> || |- | 0x2b || <code>S_BATT_AC_PWR</code> || |- | 0x2c || <code>S_BATT_TMR_RST</code> || |- | 0x2d || <code>S_GRAPHMGR</code> || |- | 0x2e || <code>S_VBL</code> || |- | 0x2f || <code>S_DTVRECOVERY</code> || |- | 0x30 || <code>S_CM_HEADPHONE</code> || |- | 0x31 || <code>S_CM_EXTPOWER</code> || |- | 0x32 || <code>S_CM_ACCATTACHED</code> || |- | 0x33 || <code>S_CM_DAC_SETUP</code> || |- | 0x34 || <code>S_ATAWRKLPRDY</code> || |- | 0x35 || <code>S_RTXCBUG</code> || |- | 0x36 || <code>S_BLOCKDEVICE</code> || |- | 0x37 || <code>S_BLOCKDEVICEQ</code> || |- | 0x38 || <code>S_DISPLAY</code> || |- | 0x39 || <code>S_ARB_READY</code> || |- | 0x3a || <code>S_I2C_DONE</code> || |- | 0x3b || <code>S_VSYNC</code> || |} There are three more semaphores (0x3c, 0x3d, 0x3e) that have no name defined and are likely unused. Anything 0x3f and up is a 'Dynamic' semaphore defined at runtime (which we haven't reversed yet). === Queues === The following queues are defined in the [[Nano 3G]] RetailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || PIXORESQ || |- | 0x02 || PIXOSEMAQ || |- | 0x03 || POSIXRESQ || |- | 0x04 || POSIXSEMAQ || |} === Mailboxes === The following mailboxes are defined in the [[Nano 3G]] RetailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || M_DISKMGR || |- | 0x02 || M_PIEZOMGR || |- | 0x03 || M_GRAPHMGR || |- | 0x04 || M_BLOCKDEVICE || |- | 0x05 || M_DISPLAY || |} === Resources === The following lockable resources are defined in the [[Nano 3G]] RetailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || GPIO_REG_WRITE || |- | 0x02 || GPIO_INT_INIT || |- | 0x03 || RTC_TIME_ADJUST || |- | 0x04 || RTC_ALARM_ADJUST || |- | 0x05 || I2C_MASTER || |- | 0x06 || USB_GRANT || |- | 0x07 || USB_RESP_INIT || |- | 0x08 || USB_RESPONDER || |- | 0x09 || DISKPWRMGRSEND || |- | 0x0a || PIEZOMGRSEND || |- | 0x0b || SERIALVERIFIER || |- | 0x0c || RESISTORVERIFIER || |- | 0x0d || FW_IRAM || |- | 0x0e || ACCPOWER || |- | 0x0f || UARTA || |- | 0x10 || UARGB || |- | 0x11 || PMU_LOCK || |- | 0x12 || ADC_LOCK || |- | 0x13 || DTV_ENC_INIT || |- | 0x14 || BACKLIGHT || |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] 701fa5898261c917801b4108c2341417188259ab 22022 22019 2023-02-25T09:58:24Z Q3k 6232 RetailOS -> retailOS wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'retailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == retailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer retailOS bugs trivial. === Boot chain === retailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, retailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === While RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering retailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface. The dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code. Service functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking). The following table comes from cross-referencing retailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by retailOS and not built into the service dispatcher, at least on [[Nano 5G]]. === Semaphores === The following semaphores are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || <code>S_FW_PWR_CHANGE</code> || |- | 0x02 || <code>S_BAT_PWR_CHANGE</code> || |- | 0x03 || <code>S_USB_PWR_CHANGE</code> || |- | 0x04 || <code>S_CNA_CHANGE</code> || |- | 0x05 || <code>S_WHEEL_CHANGE</code> || |- | 0x06 || <code>S_DISKMGRQ</code> || |- | 0x07 || <code>S_TOPPLUG_SWITCH</code> || |- | 0x08 || <code>S_RTCTIMERMGR</code> || |- | 0x09 || <code>S_ALARM_01</code> || |- | 0x0a || <code>S_ALARM_02</code> || |- | 0x0b || <code>S_ALARM_03</code> || |- | 0x0c || <code>S_WATCHDOG</code> || |- | 0x0d || <code>S_CPUMGRQ</code> || |- | 0x0e || <code>S_PCFPOWERMGR</code> || |- | 0x0f || <code>S_POWER_STATE_AC</code> || |- | 0x10 || <code>S_CGR_STATE_TMR</code> || |- | 0x11 || <code>S_DEEPSLEEP</code> || |- | 0x12 || <code>S_ALARM_DONE</code> || |- | 0x13 || <code>S_PIEZOMGR</code> || |- | 0x14 || <code>S_PIEZOMGRSNDR</code> || |- | 0x15 || <code>S_PIEZODONE</code> || |- | 0x16 || <code>S_ACCPOWER</code> || |- | 0x17 || <code>S_ACC_REINIT</code> || |- | 0x18 || <code>S_TOPPLUGSENSER</code> || |- | 0x19 || <code>S_TOPPLUGCHANGE</code> || |- | 0x1a || <code>S_BTMCONNECT</code> || |- | 0x1b || <code>S_BTMPLUGCHANGE</code> || |- | 0x1c || <code>S_BTMREVERIFY</code> || |- | 0x1d || <code>S_BTMREVERTIMED</code> || |- | 0x1e || <code>S_BTMVERCOMP</code> || |- | 0x1f || <code>S_TOPACCPKTRCVD</code> || |- | 0x20 || <code>S_BTMACCPKTRCVD</code> || |- | 0x21 || <code>S_SERIALIDRCVD</code> || |- | 0x22 || <code>S_UARTATXEMPTY</code> || |- | 0x23 || <code>S_UARTBTXEMPTY</code> || |- | 0x24 || <code>S_HDDSCANCOMP</code> || |- | 0x25 || <code>S_BL_ON</code> || |- | 0x26 || <code>S_BL_OFF</code> || |- | 0x27 || <code>S_BL_RAMPDOWN</code> || |- | 0x28 || <code>S_BL_RAMPUP</code> || |- | 0x29 || <code>S_BL_TIMESUP</code> || |- | 0x2a || <code>S_BATT_TIMESUP</code> || |- | 0x2b || <code>S_BATT_AC_PWR</code> || |- | 0x2c || <code>S_BATT_TMR_RST</code> || |- | 0x2d || <code>S_GRAPHMGR</code> || |- | 0x2e || <code>S_VBL</code> || |- | 0x2f || <code>S_DTVRECOVERY</code> || |- | 0x30 || <code>S_CM_HEADPHONE</code> || |- | 0x31 || <code>S_CM_EXTPOWER</code> || |- | 0x32 || <code>S_CM_ACCATTACHED</code> || |- | 0x33 || <code>S_CM_DAC_SETUP</code> || |- | 0x34 || <code>S_ATAWRKLPRDY</code> || |- | 0x35 || <code>S_RTXCBUG</code> || |- | 0x36 || <code>S_BLOCKDEVICE</code> || |- | 0x37 || <code>S_BLOCKDEVICEQ</code> || |- | 0x38 || <code>S_DISPLAY</code> || |- | 0x39 || <code>S_ARB_READY</code> || |- | 0x3a || <code>S_I2C_DONE</code> || |- | 0x3b || <code>S_VSYNC</code> || |} There are three more semaphores (0x3c, 0x3d, 0x3e) that have no name defined and are likely unused. Anything 0x3f and up is a 'Dynamic' semaphore defined at runtime (which we haven't reversed yet). === Queues === The following queues are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || PIXORESQ || |- | 0x02 || PIXOSEMAQ || |- | 0x03 || POSIXRESQ || |- | 0x04 || POSIXSEMAQ || |} === Mailboxes === The following mailboxes are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || M_DISKMGR || |- | 0x02 || M_PIEZOMGR || |- | 0x03 || M_GRAPHMGR || |- | 0x04 || M_BLOCKDEVICE || |- | 0x05 || M_DISPLAY || |} === Resources === The following lockable resources are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || GPIO_REG_WRITE || |- | 0x02 || GPIO_INT_INIT || |- | 0x03 || RTC_TIME_ADJUST || |- | 0x04 || RTC_ALARM_ADJUST || |- | 0x05 || I2C_MASTER || |- | 0x06 || USB_GRANT || |- | 0x07 || USB_RESP_INIT || |- | 0x08 || USB_RESPONDER || |- | 0x09 || DISKPWRMGRSEND || |- | 0x0a || PIEZOMGRSEND || |- | 0x0b || SERIALVERIFIER || |- | 0x0c || RESISTORVERIFIER || |- | 0x0d || FW_IRAM || |- | 0x0e || ACCPOWER || |- | 0x0f || UARTA || |- | 0x10 || UARGB || |- | 0x11 || PMU_LOCK || |- | 0x12 || ADC_LOCK || |- | 0x13 || DTV_ENC_INIT || |- | 0x14 || BACKLIGHT || |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] e2aadf975b1d61201095df7e5786dee68bb843b1 0 6437 21999 2023-02-12T14:12:40Z Q3k 6232 Q3k moved page [[OSOS]] to [[RetailOS]] wikitext text/x-wiki #REDIRECT [[RetailOS]] de8b10bc4c60bcdb495fc6088e6022c22ebf1498 0 6425 22000 21934 2023-02-12T14:12:51Z Q3k 6232 Q3k moved page [[OSOS Options]] to [[RetailOS Options]] wikitext text/x-wiki [[OSOS]] has some 'secret' options that you can enable by placing files into iPod_Control/Device. The following table shows all known options, with information on what device are they supported. Some of these appear to have no cross-references in q3k's decompilation, but that might be a tooling issue. Ideally, we should test every single one of these :). {| class="wikitable" |- ! File !! Functionality !! Nano 5G |- | '''_enable_options''' || '''This file must be present for any other option to work.''' || ✔️ |- | _show_numeric_volume || Displays numeric value when changing volume. || ✔️ |- | _disable_cache || || ✔️ (Unused?) |- | _go_fast || || ✔️ (Unused?) |- | _show_voltage || Displays battery voltage at bottom of screen. || ✔️ |- | _show_speed || || ✔️ |- | _show_memory || Displays heap statistics at bottom of screen. || ✔️ |- | _show_fps || || ✔️ |- | _disable_mbx_timeout || Mailbox timeouts? PowerVR MBX timeouts? Untested. || ✔️ |- | _tvoutwidescreen || || ✔️ |- | _enable_logging || Writes high-level logs into iPod_Control/Logs. || ✔️ |- | _enable_crash_logging || || ✔️ (Unused?) |- | _enable_memory_logging || || ✔️ (Unused?) |- | _disable_jpeg_decoder || || ✔️ (Unused?) |- | _disable_sleep || || ✔️ |- | _hibe_sleep || || ✔️ |- | _disable_hibe || || ✔️ |- | _hibe_beep || || ✔️ |- | _short_deepsleep || || ✔️ |- | _no_deepsleep || Preempted by _short_deepsleep. || ✔️ |- | _dont_reject_vid || || ✔️ |- | _tcsize || File contents read (number likely expected). || ✔️ |- | _speed || File contents read (number likely expected). Default -1. || ✔️ (Unused?) |- | _no_vc0_autopower || || ✔️ (Unused?) |- | _autopow_overlay || || ✔️ (Unused?) |- | _dartboard || Weird mode in which menu/play are swapped and iTunes database seems to be ignored. || ✔️ |- | _show_brightness || || ✔️ (Unused?) |- | _car_adapter || || ✔️ |- | _usb_swap_configs || || ✔️ |- | _usb_audio_sinewave || || ✔️ |- | _usb_audio_authentication_optional || || ✔️ (Unused?) |- | _usb_audio_negotiation_optional || || ✔️ (Unused?) |- | _usb_audio_test_mode || || ✔️ (Unused?) |- | _usb_audio_lame_resampling || || ✔️ (Unused?) |- | _usb_audio_samplerate_match_style || || ✔️ (Unused?) |- | _usb_audio_resampling_method || || ✔️ (Unused?) |- | _usb_audio_show_status || || ✔️ |- | _serial_acc_iap_status || || ✔️ (Unused?) |- | _battery_always_low || || ✔️ |- | _show_cache_size || || ✔️ |- | _disable_unsplit_decoders || || ✔️ (Unused?) |- | _heap_beep || || ✔️ (Unused?) |- | _show_autobaud || || ✔️ |- | _ignore_volume_pref || || ✔️ |- | _no_volume_control || || ✔️ |- | _record_max_16mb || || ✔️ |- | _vp_lang || || ✔️ (Unused?) |- | _mockup_mode || || ✔️ (Unused?) |- | _tvout_video_display || || ✔️ (Unused?) |- | _deblocking_off || || ✔️ (Unused?) |- | _force_AACHE || || ✔️ (Unused?) |- | _force_AACLC || || ✔️ (Unused?) |- | _reset_rtc || || ✔️ (Unused?) |- | _no_volume_control || || ✔️ |- | _honor_repeat || || ✔️ |- | _rental_notify_always || || ✔️ |- | _uart30pin_debug || || ✔️ |- | _uart2_debug || Preempted by _uart30pin_debug. || ✔️ |- | _mie_on || || ✔️ (Unused?) |- | _dragster_on || || ✔️ (Unused?) |- | _try_spirit_codecs || || ✔️ |- | _amc_r2d || || ✔️ |- | _crossfade_on || || ✔️ (Unused?) |- | _mecca_trace_debug || || ✔️ (Unused?) |- | _use_aac_encoder || || ✔️ |- | _wheel_raw_data || || ✔️ (Unused?) |- | _wheel_app_data || || ✔️ |- | _accel_data || || ✔️ |- | _orient_me_not || || ✔️ |- | _shake_data || || ✔️ (Unused?) |- | _hold3beep || Halt and wait for JTAG in C_exception_handler. Probably. || ✔️ |- | _skipgamedrm || Seemingly allows Manifest.plist.p7b to not be present when reading eApps/games. If present, will still be checked. || ✔️ |- | _firewire_supported || || ✔️ |- | _debug_db || || ✔️ (Unused?) |- | _EQBiasScale || Contents read. || ✔️ (Unused?) |- | _RecorderGainDB || Contents read. || ✔️ (Unused?) |- | _SpeakerEQ_HPF_Fc || Contents read. || ✔️ (Unused?) |- | _SpeakerEQPreset || Contents read. || ✔️ (Unused?) |- | _RecorderGainLimit || Contents read. || ✔️ (Unused?) |- | _6bits_accel || || ✔️ (Unused?) |- | _disable_bpfix || || ✔️ (Unused?) |- | _tuner_readings_show || || ✔️ |- | _tuner_metadata_events_show || || ✔️ |- | _tuner_buffer_time_show || || ✔️ |- | _tuner_readings_logging || || ✔️ |- | _tuner_metadata_raw_logging || || ✔️ |- | _tuner_metadata_parsed_logging || || ✔️ |- | _tuner_scan_logging || || ✔️ |- | _tuner_auto_scan || || ✔️ |- | _tuner_softmute_disable || || ✔️ |- | _tuner_hicut_disable || || ✔️ |- | _hifi_video_encoding || || ✔️ |- | _no_look_ahead_video_encoding || || ✔️ |- | _look_ahead_video_encoding || || ✔️ |- | _bvtpowertest || || ✔️ |- | _disable_clock_gating || || ✔️ |- | _writerawyuvstills || || ✔️ |- | _ped_time_10x || || ✔️ |- | _power_testing || || ✔️ |- | _ped_xyz_logging || || ✔️ |- | _ped_heartbeat || || ✔️ |- | _ped_time_100x || || ✔️ |- | _ped_time_1000x || || ✔️ |- | _log_sys_model || || ✔️ (Unused?) |- | _fm_fieldtesting || || ✔️ |- | _nand_high_clock || || ✔️ (Unused?) |- | _disable_overlay_limit || || ✔️ (Unused?) |- | _show_max_battery || || ✔️ |- | _show_fixed_time || || ✔️ |- | _photo_albums_test || || ✔️ |- | _show_pll || || ✔️ |- | _hang_frame_drop || || ✔️ |- | _disable_overlay_limit || _enable_options not required. || ✔️ (Unused?) |- | _quick_3bits || _enable_options not required. || ✔️ (Unused?) |} 9359aa3d65f17141bba62c086fee885a739dc13e 0 6438 22001 2023-02-12T14:12:51Z Q3k 6232 Q3k moved page [[OSOS Options]] to [[RetailOS Options]] wikitext text/x-wiki #REDIRECT [[RetailOS Options]] 8719dfbb1891ae5247dcba9b23adea49e96c5061 0 6439 22006 2023-02-18T20:53:15Z Q3k 6232 Q3k moved page [[OSOS Internals]] to [[RetailOS Internals]] wikitext text/x-wiki #REDIRECT [[RetailOS Internals]] 73e3840d4046f73cf815ff3fb97ef50bb05465ef 0 243 22026 21908 2023-03-08T14:31:06Z Q3k 6232 wikitext text/x-wiki [[Image:nano_4g_frt_a.png|500px]] [[Image:nano_4g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1176JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |- | | SDRAM | | | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. |- | 4 | Accelerometer | [http://www.st.com/stonline/products/literature/ds/12726.pdf LIS302DL] | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |- | 6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |- | 5 | Audio codec | [http://www.cirrus.com/en/pubs/proDatasheet/CS42L55_F1.pdf CS42L58] | 338S055C, 189N0824, SGP | I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |- | 1 | Power manager | Dialog D1759 | 338S0687-AC, 08288HBB | |- | 3 | | | | |} == Bootrom == See [[S5L8720 Bootrom]]. Different from the S5L8720 bootrom used in the iPod Touch 2G (which is iBoot-based, a.k.a. SecureROM). == Memory Map == See [https://www.theiphonewiki.com/wiki/S5L8720_(Hardware)] and [https://code.google.com/archive/p/chronicdev/wikis/N72APDevTree.wiki]. In addition to the above, a few extra memory regions have been found while reverse engineering the [[S5L8720 Bootrom]]: {| class="wikitable" ! Name !! Address !! Notes |- | Mystery DMA | 0x3880_0000 | A PL080-like DMA engine, but with slightly different MMIO register structure. Used by the [[S5L8720 Bootrom|bootrom]] to copy the DFU payload from 0x2200_0600 to 0x2200_0000 after decryption and verification. Or maybe that's actually doing the decryption? To be investigated. |- | Mystery Interrupt Thing | 0x39a0_0000 | Not the VICs (0x38e0_0000, 0x38e0_1000), not the EdgeIC (0x38e0_2000). Seems to hold 7 different 32-bit registers for interrupt status at 0xa0, and 7 different 32-bit registers for interrupt mask at 0xc0. The 7 different registers correspond to 7 'modes' of ISRs set up in the bootrom. Not much is known about what it does, and what these 'modes' are. To be investigated. |} ==Reverse Engineering Results== Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. ==Status registers== We dumped all c0 coprocessor registers: ===c0,c0=== '''Value:''' 0x410FB764 '''Interpretation:''' ARM1176 rev. 4 ===c0,c1=== '''Value:''' 0x1D152152 '''Interpretation:''' DCache/ICache 16KB each, 4 way associative, 32 bytes line size ===c0,c2=== '''Value:''' 0x00000000 '''Interpretation:''' No TCM ===c0,c3=== '''Value:''' 0x00000800 '''Interpretation:''' Unified TLB, 8 lockable entries ===c1,c0=== '''Value:''' 0x00000111 '''Interpretation:''' ARM/Thumb1/Jazelle support, no Thumb2 support ===c1,c1=== '''Value:''' 0x00000011 '''Interpretation:''' Trustzone v1 ===c1,c2=== '''Value:''' 0x00000033 '''Interpretation:''' Supports debug model v6.1, both applications processor and secure ===c1,c3=== '''Value:''' 0x00000000 '''Interpretation:''' No auxiliary features ===c1,c4=== '''Value:''' 0x01130003 '''Interpretation:''' FCSE, Auxiliary Control register, ARMv6 TCM/DMA, no DMA cache coherency, no multicore cache coherency, VMSA v7 ===c1,c5=== '''Value:''' 0x10030302 '''Interpretation:''' Branch target buffer, Harvard architecture, various cache operations supported (see TRM) ===c1,c6=== '''Value:''' 0x01222100 '''Interpretation:''' WFI, Data synchronization barrier, Prefetch flush, Data memory barrier, various TLB/cache operations supported (see TRM), no prefetch cache range operation ===c1,c7=== '''Value:''' 0x00000000 '''Interpretation:''' No hierarchical cache maintenance support ===c2,c0=== '''Value:''' 0x00140011 '''Interpretation:''' Supports BKPT, CDP, CDP2, LDC, LDC2, MCD, MCD2, MRC, MRC2, STC, STC2, MCRR, MCRR2, MRRC, MRRC2, CLZ, SWP and SWPB, doesn't support division, combined compare and branch or bitfield instructions ===c2,c1=== '''Value:''' 0x12002111 '''Interpretation:''' Supports BXJ, BX, BLX, PC loads have BX behavior, supports SXTB, SXTAB, SXTB16, SXTAB16, SXTH, SXTAH, UXTB, UXTAB, UXTB16, UXTAB16, UXTH, UXTAH, SRS, RFE, CPS, LDM(2), LDM(3), STM(2) and SETEND ===c2,c2=== '''Value:''' 0x11231121 '''Interpretation:''' Supports REV, REV16, REVSH, MRS, MSR, UMULL, UMLAL, UMAAL, SMULL, SMLAL, SMLABB, SMLABT, SMLALBB, SMLALBT, SMLALTB, SMLALTT, SMLATB, SMLATT, SMLAWB, SMLAWT, SMULBB, SMULBT, SMULTB, SMULTT, SMULWB, SMULWT, SMLAD, SMLADX, SMLALD, SMLALDX, SMLSD, SMLSDX, SMLSLD, SMLSLDX, SMMLA, SMMLAR, SMMLS, SMMLSR, SMMUL, SMMULR, SMUAD, SMUADX, SMUSD, SMUSDX, MLA, restartable LDM/STM, PLD, LDRD, STRD and Q bit in PSRs ===c2,c3=== '''Value:''' 0x01102131 '''Interpretation:''' Supports true NOP, Thumb MOV(3)/CPU, LDREX, STREX, LDREXB, LDREXH, LDREXD, STREXB, STREXH, STREXD, CLREX, SVC, PKHBT, PKHTB, QADD16, QADD8, QADDSUBX, QSUB16, QSUB8, QSUBADDX, SADD16, SADD8, SADDSUBX, SEL, SHADD16, SHADD8, SHADDSUBX, SHSUB16, SHSUB8, SHSUBADDX, SSAT, SSAT16, SSUB16, SSUB8, SSUBADDX, SXTAB16, SXTB16, UADD16, UADD8, UADDSUBX, UHADD16, UHADD8, UHADDSUBX, UHSUB16, UHSUB8, UHSUBADDX, UQADD16, UQADD8, UQADDSUBX, UQSUB16, UQSUB8, UQSUBADDX, USAD8, USADA8, USAT, USAT16, USUB16, USUB8, USUBADDX, UXTAB16, UXTB16, QADD, QDADD, QDSUB, QSUB, and the Q and GE[3:0] bits in the PSRs. Does nut support branch table and Thumb2 instructions. ===c2,c4=== '''Value:''' 0x00001141 '''Interpretation:''' Supports SMC, writeback instructions, shift of loads and stores by 0-3 bits to the left, constant shift options, register controlled shift options, LDRBT, LDRT, STRBT and STRT. No barrier instructions support. ===c2,c5=== '''Value:''' 0x00000000 '''Interpretation:''' No additional implementation defined instruction set extensions ==Helpful pages== Teardowns: *http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1 Other: *http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 6b0e20a26efcfd9752a4e972d010b31e4470a554 0 6429 22027 21939 2023-03-08T17:40:16Z Q3k 6232 /* 'Memory locked out' JTAG */ wikitext text/x-wiki Some iPods seemingly have the ability to be debugged over JTAG. Here's some documentation on getting started. == Devices == {| class="wikitable" |- ! Device !! Protocol !! Location |- | Nano 2G || JTAG (memory locked out) || 30-pin connector, needs jumpers |- | Nano 5G || JTAG (memory locked out) || 30-pin connector, needs jumpers |} === Nano 2G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 17 || TMS |- | 21 || TDI |- | 22 || TDO |- | 23 || TCK |- | 24 || nTRST |} In addition, the following pads need to be bridged on the logic board: [[Image:Top_annote.jpg|500px]] === Nano 5G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 3 || RTCK (optional) |- | 5 || TDO |- | 9 || TDI |- | 14 || TCK |- | 17 || TMS |} In addition, the following 01005 footprints need to be populated with 0 ohm resistors (or bridged with a wire) on the logic board: [[Image:Nano5G JTAG.png|500px]] == 'Memory locked out' JTAG == Even though JTAG is accessible on the N2G/N5G, and the CPU core can be controlled over it, no memory is accessible anymore. In fact, it seems like the CPU core gets fully disconnected from the AHB bus any time JTAG is enabled. During the [[Nano2G_HW_analysis|Nano 2G initial reverse engineering process]] low-level access to Dcache was used to dump memory. However, no method of re-establishing full memory access has yet been found. [[Image:Nano5G Broken JTAG.png|300px]] The above listing shows OpenOCD/GDB connected to a Nano 5G a while after it has been first scanned via JTAG. It seems to be stuck in a permanent 'data abort' handler loop, with some pretty trashed register values (although some of them are still in valid range for running the BootROM). What has been attempted so far: # Making sure the WDT isn't running. # Writing to CHIPID in an attempt to 'demote' the devices à la iOS. # Connecting while the device is in the BootROM. # Using a fancy JTAG probe (Lauterbach) # Writing to 0x3970_0104 (which seems to have three security write-only bits, two of which disable built-in AES keys, the third being unknown) Other observations: # The 'memory bus disconnection' seems to happen immediately after a JTAG chain scan, so this might be implemented as extra logic somewhere in the SoC that needs some magic TDI bits to be fed so it doesn't lock out the AHB bus (or whatever it does). # This might just be a bug in openocd ARM11, or some quirk of the ARM1176 core (or SoC) in which caches break during debug access, but that seems unlikely. # The implementation might be Samsung's 'SecureJTAG', as used in eg. the [https://web.archive.org/web/20230308173730/http://www.fdi.ucm.es/profesor/mendias/psyd/docs/S5PC100.pdf S5PC100]. However, the S5L87xx does not seem to have eFUSE registers that would hold a key as described in this datasheet - or such a register hasn't yet been found. It is also unknown, given the key, how to actually send it over JTAG to unlock it. 2194c4276262af3405847b75648d472bf30f31ab 22028 22027 2023-03-08T18:25:54Z Q3k 6232 /* 'Memory locked out' JTAG */ wikitext text/x-wiki Some iPods seemingly have the ability to be debugged over JTAG. Here's some documentation on getting started. == Devices == {| class="wikitable" |- ! Device !! Protocol !! Location |- | Nano 2G || JTAG (memory locked out) || 30-pin connector, needs jumpers |- | Nano 5G || JTAG (memory locked out) || 30-pin connector, needs jumpers |} === Nano 2G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 17 || TMS |- | 21 || TDI |- | 22 || TDO |- | 23 || TCK |- | 24 || nTRST |} In addition, the following pads need to be bridged on the logic board: [[Image:Top_annote.jpg|500px]] === Nano 5G === The following pins carry 'classic' multi-wire JTAG on the Dock Connector: {| class="wikitable" |- ! Pin Number !! Function |- | 3 || RTCK (optional) |- | 5 || TDO |- | 9 || TDI |- | 14 || TCK |- | 17 || TMS |} In addition, the following 01005 footprints need to be populated with 0 ohm resistors (or bridged with a wire) on the logic board: [[Image:Nano5G JTAG.png|500px]] == 'Memory locked out' JTAG == Even though JTAG is accessible on the N2G/N5G, and the CPU core can be controlled over it, no memory is accessible anymore. In fact, it seems like the CPU core gets fully disconnected from the AHB bus any time JTAG is enabled. During the [[Nano2G_HW_analysis|Nano 2G initial reverse engineering process]] low-level access to Dcache was used to dump memory. However, no method of re-establishing full memory access has yet been found. [[Image:Nano5G Broken JTAG.png|300px]] The above listing shows OpenOCD/GDB connected to a Nano 5G a while after it has been first scanned via JTAG. It seems to be stuck in a permanent 'data abort' handler loop, with some pretty trashed register values (although some of them are still in valid range for running the BootROM). What has been attempted so far: # Making sure the WDT isn't running. # Opening all clock gates # Writing to CHIPID in an attempt to 'demote' the devices à la iOS. # Connecting while the device is in the BootROM. # Using a fancy JTAG probe (Lauterbach) # Writing to 0x3970_0104 (which seems to have three security write-only bits, two of which disable built-in AES keys, the third being unknown) Other observations: # The 'memory bus disconnection' seems to happen immediately after a JTAG chain scan, so this might be implemented as extra logic somewhere in the SoC that needs some magic TDI bits to be fed so it doesn't lock out the AHB bus (or whatever it does). # This might just be a bug in openocd ARM11, or some quirk of the ARM1176 core (or SoC) in which caches break during debug access, but that seems unlikely. # The implementation might be Samsung's 'SecureJTAG', as used in eg. the [https://web.archive.org/web/20230308173730/http://www.fdi.ucm.es/profesor/mendias/psyd/docs/S5PC100.pdf S5PC100]. However, the S5L87xx does not seem to have eFUSE registers that would hold a key as described in this datasheet - or such a register hasn't yet been found. It is also unknown, given the key, how to actually send it over JTAG to unlock it. 485a1bf5512ff9f1a04ea5e2dd71371e0ab5ce3c 0 6440 22029 2023-03-17T17:40:26Z Q3k 6232 Created page with "FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following..." wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. Bit 10: MASTER_EN, bit 24: DMA_EN. |- | 0x004 || FMCTRL1 || Control register used to start transfers. Bit 0: DOADDR, Bit 1: DORXDAT, Bit2: DOTXDAT. |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. === S5L8950 / A6 === The controller is called 'PPNFMSS' and seems to use the same CS bytecode, and a generally similar register layout. 97dcb46530307d4137b81ed0af60a1a5079fa6ca 22030 22029 2023-03-17T17:41:28Z Q3k 6232 /* CS (Code Sequencer) */ wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. Bit 10: MASTER_EN, bit 24: DMA_EN. |- | 0x004 || FMCTRL1 || Control register used to start transfers. Bit 0: DOADDR, Bit 1: DORXDAT, Bit2: DOTXDAT. |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. === S5L8950 / A6 === The controller is called 'PPNFMSS' and seems to use the same CS bytecode, and a generally similar register layout. 85649df570f9a9804f9ca2e4f0e4b421fa64b282 22031 22030 2023-03-17T17:51:09Z Q3k 6232 /* FMC (Flash Memory Controller) */ wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. * Bit 0: Enable * Bits [1..8]: CE/Bank number * Bit 10: DMA enable? * Bits [12..14]: Hold clocks * Bits [16..18]: Setup clocks * Bits [28..30]: EDO clocks |- | 0x004 || FMCTRL1 || Control register used to start transfers. Bit 0: DOADDR, Bit 1: DORXDAT, Bit2: DOTXDAT. |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. === S5L8950 / A6 === The controller is called 'PPNFMSS' and seems to use the same CS bytecode, and a generally similar register layout. 907f3e8cdd54f0a55dee75ed93eea98181378fa2 22032 22031 2023-03-17T17:54:34Z Q3k 6232 /* FMC (Flash Memory Controller) */ wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. * Bit 0: Enable * Bits [1..8]: CE/Bank number * Bit 10: DMA enable? * Bits [12..14]: Hold clocks * Bits [16..18]: Setup clocks * Bits [28..30]: EDO clocks |- | 0x004 || FMCTRL1 || Transfer control register. * Bit 0: Start address transfer. * Bit 1: Start read transfer. * Bit 2: Start write transfer. * Bit 4: ??? * Bit 5: Clear ??? * Bit 6: Clear write FIFO * Bit 7: Clear read FIFO |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. === S5L8950 / A6 === The controller is called 'PPNFMSS' and seems to use the same CS bytecode, and a generally similar register layout. afa178dd317e7df5a918e311cc28b6c6298f0ff1 22033 22032 2023-03-17T17:59:09Z Q3k 6232 /* FMC (Flash Memory Controller) */ wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. * Bit 0: Enable * Bits [1..8]: CE/Bank number * Bit 10: DMA enable? * Bits [12..14]: Hold clocks * Bits [16..18]: Setup clocks * Bits [28..30]: EDO clocks |- | 0x004 || FMCTRL1 || Transfer control register. * Bit 0: Start address transfer. * Bit 1: Start read transfer. * Bit 2: Start write transfer. * Bit 4: ??? * Bit 5: Clear ??? * Bit 6: Clear write FIFO * Bit 7: Clear read FIFO |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |- | 0x048 || FMSTAT || Controller status. * Bit 1: command done. Write to clear. * Bit 2: address done. Write to clear. * Bit 3: transfer done. Write to clear. |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. === S5L8950 / A6 === The controller is called 'PPNFMSS' and seems to use the same CS bytecode, and a generally similar register layout. 4223172861fe78cb83212ded51dcd25146db8bc8 22034 22033 2023-03-17T18:06:20Z Q3k 6232 /* FMC (Flash Memory Controller) */ wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. * Bit 0: Enable * Bits [1..8]: CE/Bank number * Bit 10: DMA enable? * Bits [12..14]: Hold clocks * Bits [16..18]: Setup clocks * Bits [28..30]: EDO clocks |- | 0x004 || FMCTRL1 || Transfer control register. * Bit 0: Start address transfer. * Bit 1: Start read transfer. * Bit 2: Start write transfer. * Bit 4: ??? * Bit 5: Clear ??? * Bit 6: Clear write FIFO * Bit 7: Clear read FIFO |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |- | 0x048 || FMSTAT || Controller status. * Bit 0: flash busy? * Bit 1: command done. Write to clear. * Bit 2: address done. Write to clear. * Bit 3: transfer done. Write to clear. * Bit 23: flash has become busy? Write to clear. |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. === S5L8950 / A6 === The controller is called 'PPNFMSS' and seems to use the same CS bytecode, and a generally similar register layout. 85435c9484ccc1350d56bcf88129ed77d97a85f6 0 6440 22035 22034 2023-03-17T18:15:18Z Q3k 6232 /* Other devices / SoCs */ wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. * Bit 0: Enable * Bits [1..8]: CE/Bank number * Bit 10: DMA enable? * Bits [12..14]: Hold clocks * Bits [16..18]: Setup clocks * Bits [28..30]: EDO clocks |- | 0x004 || FMCTRL1 || Transfer control register. * Bit 0: Start address transfer. * Bit 1: Start read transfer. * Bit 2: Start write transfer. * Bit 4: ??? * Bit 5: Clear ??? * Bit 6: Clear write FIFO * Bit 7: Clear read FIFO |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |- | 0x048 || FMSTAT || Controller status. * Bit 0: flash busy? * Bit 1: command done. Write to clear. * Bit 2: address done. Write to clear. * Bit 3: transfer done. Write to clear. * Bit 23: flash has become busy? Write to clear. |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. 68b3164bd6ba5b9b8141633a4bb0c2437c271cc8 22048 22035 2023-10-11T00:53:19Z Q3k 6232 wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. * Bit 0: Enable * Bits [1..8]: CE/Bank number * Bit 10: DMA enable? * Bits [12..14]: Hold clocks * Bits [16..18]: Setup clocks * Bits [28..30]: EDO clocks |- | 0x004 || FMCTRL1 || Transfer control register. * Bit 0: Start address transfer. * Bit 1: Start read transfer. * Bit 2: Start write transfer. * Bit 4: ??? * Bit 5: Clear ??? * Bit 6: Clear write FIFO * Bit 7: Clear read FIFO |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |- | 0x048 || FMSTAT || Controller status. * Bit 0: flash busy? * Bit 1: command done. Write to clear. * Bit 2: address done. Write to clear. * Bit 3: transfer done. Write to clear. * Bit 23: flash has become busy? Write to clear. |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0xC08 || CS_STATUS || |- | 0xC60 || CS_BUF_RST || |- | 0xC64 || CS_BUF_RST_OK || |- | 0xC6C || CS_BUF_START || |} == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. 6bdc43adab793d7b1eaec3d2a0c8802e22115d86 22049 22048 2023-10-11T00:54:16Z Q3k 6232 /* CS (Code Sequencer) */ wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. * Bit 0: Enable * Bits [1..8]: CE/Bank number * Bit 10: DMA enable? * Bits [12..14]: Hold clocks * Bits [16..18]: Setup clocks * Bits [28..30]: EDO clocks |- | 0x004 || FMCTRL1 || Transfer control register. * Bit 0: Start address transfer. * Bit 1: Start read transfer. * Bit 2: Start write transfer. * Bit 4: ??? * Bit 5: Clear ??? * Bit 6: Clear write FIFO * Bit 7: Clear read FIFO |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |- | 0x048 || FMSTAT || Controller status. * Bit 0: flash busy? * Bit 1: command done. Write to clear. * Bit 2: address done. Write to clear. * Bit 3: transfer done. Write to clear. * Bit 23: flash has become busy? Write to clear. |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0xC08 || CS_STATUS || |- | 0xC0C || CS_IRQ || |- | 0xC60 || CS_BUF_RST || |- | 0xC64 || CS_BUF_RST_OK || |- | 0xC6C || CS_BUF_START || |} == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. 128f5aed9c0bff252a33838e8d8af2f867fe533a 22050 22049 2023-10-11T00:57:36Z Q3k 6232 /* CS (Code Sequencer) */ wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. * Bit 0: Enable * Bits [1..8]: CE/Bank number * Bit 10: DMA enable? * Bits [12..14]: Hold clocks * Bits [16..18]: Setup clocks * Bits [28..30]: EDO clocks |- | 0x004 || FMCTRL1 || Transfer control register. * Bit 0: Start address transfer. * Bit 1: Start read transfer. * Bit 2: Start write transfer. * Bit 4: ??? * Bit 5: Clear ??? * Bit 6: Clear write FIFO * Bit 7: Clear read FIFO |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |- | 0x048 || FMSTAT || Controller status. * Bit 0: flash busy? * Bit 1: command done. Write to clear. * Bit 2: address done. Write to clear. * Bit 3: transfer done. Write to clear. * Bit 23: flash has become busy? Write to clear. |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. {| class="wikitable" |- ! Offset !! Register Name !! Description |- |- | 0xC04 || CS_IP || Sequencer's instruction pointer. | 0xC08 || CS_STATUS || |- | 0xC0C || CS_IRQ || |- | 0xC60 || CS_BUF_RST || |- | 0xC64 || CS_BUF_RST_OK || |- | 0xC6C || CS_BUF_START || |} == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. 6c1d6a535faee4dc9e98c541afc298fbad273707 22051 22050 2023-10-11T00:57:44Z Q3k 6232 /* CS (Code Sequencer) */ wikitext text/x-wiki FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730. There is no publicly available information about it, and the following has been gathered from reverse engineering [[RetailOS]] and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet. == Subsystems == === FMC (Flash Memory Controller) === This is the component responsible for the actual bus transfers on the NAND bus. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0x000 || FMCTRL0 || General control register. * Bit 0: Enable * Bits [1..8]: CE/Bank number * Bit 10: DMA enable? * Bits [12..14]: Hold clocks * Bits [16..18]: Setup clocks * Bits [28..30]: EDO clocks |- | 0x004 || FMCTRL1 || Transfer control register. * Bit 0: Start address transfer. * Bit 1: Start read transfer. * Bit 2: Start write transfer. * Bit 4: ??? * Bit 5: Clear ??? * Bit 6: Clear write FIFO * Bit 7: Clear read FIFO |- | 0x008 || FMCMD || NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets. |- | 0x00C || FMADDR0 || Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x010 || FMADDR1 || Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets. |- | 0x02C || FMANUM || Number of bytes to transfer during address transfer minus one (ie. countdown counter). |- | 0x030 || FMDNUM || Number of bytes to transfer during data transfer minus one (ie. countdown counter). |- | 0x048 || FMSTAT || Controller status. * Bit 0: flash busy? * Bit 1: command done. Write to clear. * Bit 2: address done. Write to clear. * Bit 3: transfer done. Write to clear. * Bit 23: flash has become busy? Write to clear. |} To be documented fully. === ECC (Error Correction Code) === To be documented. === CS (Code Sequencer) === A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems. The bytecode is documented at [https://github.com/lemonjesus/S5L8702-FMISS-Tools lemonjesus/S5L8702-FMISS-Tools]. {| class="wikitable" |- ! Offset !! Register Name !! Description |- | 0xC04 || CS_IP || Sequencer's instruction pointer. |- | 0xC08 || CS_STATUS || |- | 0xC0C || CS_IRQ || |- | 0xC60 || CS_BUF_RST || |- | 0xC64 || CS_BUF_RST_OK || |- | 0xC6C || CS_BUF_START || |} == Other devices / SoCs == === S5L8700X (non-Apple) and S5L8900 === A similar controller is present, called simply the FMC. It has no code sequencing functionality. On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS. 53352fc3ad62e98b335f05b484649508472c4acd 0 6419 22036 21918 2023-04-18T02:55:44Z Plzdonthaxme 6236 add verification routine and misc changes wikitext text/x-wiki == Introduction == IMG1 is a pseudonym for the image format used by early iOS devices and all S5L-based iPods. It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF). The iPhone Wiki has some basic [https://www.theiphonewiki.com/wiki/S5L_File_Formats#8900 information about the format]. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. Here we describe the known usage of IMG1, including its 2.0 version, in clickwheel iPods and non-iBoot bootroms. == Header Format == struct IMG1 { u8 magic[4]; // 0x0, SoC digits, eg. `8720`. u8 version[3]; // 0x4, `1.0` or `2.0` u8 format; // 0x7, Encryption/signature format. See below. u32 entrypoint; // 0x8, Offset to jump to within body (after header). u32 bodyLen; // 0xC, Size of the image body, ie. the data loaded into memory, before the // signature/certificates start, after the header. u32 dataLen; // 0x10, Size of everything that's not the header (body + signature + certificates). u32 footerCertOffset; // 0x14, Offset of certificate start (after header). u32 footerCertLen; // 0x18, Size of certificate bundle. u8 salt[32]; // 0x1C, Random data. u16 unk1; // 0x3C u16 unk2; // 0x3E, Security epoch? u8 headerSign[16]; // 0x40, AES-encrypted SHA1 signature of everything up to headerSign. u8 headerLeftover[4]; // 0x50, Last four bytes of unencrypted SHA1, usually leftover in images, but not // checked by firmware. Curiosity. } The body is padded to either 0x800 (S5L8900 (iOS)/S5L8702), 0x600 (S5L8720/S5L8930) or 0x400 (S5L8723/S5L8740) bytes. The different sections are a bit tricky to reason about, here's an attempted overview: 0: Header (0x40 + 0x14 bytes, first 0x40 signed into last 0x14 bytes) 0x54: Padding until $header_size (magic dependent, 0x600 in this example) 0x600: Body, bodyLen bytes. ... 0x600 + bodyLen: body signature (for X509 formats) 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle (for X509 formats) 0x680 + bodyLen + footerCertLen: end of file. The body signature is always 0x80 bytes long, and its length is not counted into bodyLen or footerCertLen. A few assertions should hold for non-Touch iPods: # File size == $header_size + bodyLen + footerCertLen + 0x80 # dataLen = bodyLen + 0x80 + footerCertLen It is worth noting that for early iOS devices, dataLen is actually the offset to the body signature. It is unknown why Apple has changed this to the data length. === Encryption/Signature Formats === {| class="wikitable" |- ! Format (number) !! Header signed (SHA1+AES) !! Body encrypted !! Body signed (X509/RSA) !! AES Operation !! Notes |- | SIGNED_ENCRYPTED (1) || ✅ || ✅ || ❌ || Encryption, Global/GID Key || Not accepted in 2.0. |- | SIGNED (2) || ✅ || ❌ || ❌ || Encryption, Global/GID Key || Not accepted in 2.0. |- | X509_SIGNED_ENCRYPTED (3) || ✅ || ✅ || ✅|| Decryption, Global/GID Key || Most (all?) released images have this type |- | X509_SIGNED (4) || ✅ || ❌ || ✅ || Decryption, Global/GID Key || |} DFU mode in N3G, N4G, N5G seems only accepts X509_SIGNED_ENCRYPTED. Other boot modes (notably in N3G) seem to accept other formats, but that's to be verified. N4G+/2.0 do not accept any non-X509 formats. === Differences between v1.0 and 2.0 === Nano4G+ use 2.0. Everything else uses 1.0. 1.0 bootroms supports encryption formats 1, 2, 3 and 4. 2.0 only supports encryption formats 3 and 4. When uploading IMG1 images via DFU, 1.0 images need to be suffixed with a CRC32 of their content. 2.0 images don't need the CRC32. === Differences between iBoot/SecureROM and iPod images === The iPod images do not use 'Key 0x837', and in fact use the Global/GID key for all AES operations. The iPod images are sometimes decrypted using the encrypt direction of the AES engine (formats 1 and 2) and sometimes with the decrypt direction of the AES engine (formats 3 and 4). iBoot/SecureROM images seem to all use the decrypt direction. === Leftover SHA in header === It seems like whatever generates IMG1 images does so in the following pseudocode: sha1(src=data, srcLen=0x40, dst=data+0x40) aes(src=data+0x40, size=0x10) // data is ready, ship it! As after the 0x10 bytes of the AES-encrypted SHA1 signature, there are 4 bytes of unencrypted SHA1 (because a SHA1 digest is 0x14 bytes, while an AES128 block is 0x10 bytes). This means that you can check the header signature yourself (or, well, 32 bits of the signature) by performing the following: sha1(data[0:0x40]).digest()[-4:] == data[0x50:0x54] This has likely zero security implications, but is nonetheless a fascinating curiosity. === Verification Routine === There are 2 signatures that may be verified, those being the header signature and the body signature. The header signature in full may be verified by taking the SHA1 digest of data[0:0x40], encrypting it with the Global/GID key, and comparing it with the header signature. The body signature may be verified by first finding the leaf certificate, taking the public key from it, then verifying the body signature with the body data (defined as data[bodyPad:bodyPad + bodyLen]) and the public key. a6de4bbc8b09e498493112f120d4a0a02341da3e 22052 22036 2023-10-11T21:10:56Z Revo 6238 added information about the structure of the Nano 4g IMG1 body and how to extract files from it. wikitext text/x-wiki == Introduction == IMG1 is a pseudonym for the image format used by early iOS devices and all S5L-based iPods. It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF). The iPhone Wiki has some basic [https://www.theiphonewiki.com/wiki/S5L_File_Formats#8900 information about the format]. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. Here we describe the known usage of IMG1, including its 2.0 version, in clickwheel iPods and non-iBoot bootroms. == Header Format == struct IMG1 { u8 magic[4]; // 0x0, SoC digits, eg. `8720`. u8 version[3]; // 0x4, `1.0` or `2.0` u8 format; // 0x7, Encryption/signature format. See below. u32 entrypoint; // 0x8, Offset to jump to within body (after header). u32 bodyLen; // 0xC, Size of the image body, ie. the data loaded into memory, before the // signature/certificates start, after the header. u32 dataLen; // 0x10, Size of everything that's not the header (body + signature + certificates). u32 footerCertOffset; // 0x14, Offset of certificate start (after header). u32 footerCertLen; // 0x18, Size of certificate bundle. u8 salt[32]; // 0x1C, Random data. u16 unk1; // 0x3C u16 unk2; // 0x3E, Security epoch? u8 headerSign[16]; // 0x40, AES-encrypted SHA1 signature of everything up to headerSign. u8 headerLeftover[4]; // 0x50, Last four bytes of unencrypted SHA1, usually leftover in images, but not // checked by firmware. Curiosity. } The body is padded to either 0x800 (S5L8900 (iOS)/S5L8702), 0x600 (S5L8720/S5L8930) or 0x400 (S5L8723/S5L8740) bytes. The different sections are a bit tricky to reason about, here's an attempted overview: 0: Header (0x40 + 0x14 bytes, first 0x40 signed into last 0x14 bytes) 0x54: Padding until $header_size (magic dependent, 0x600 in this example) 0x600: Body, bodyLen bytes. ... 0x600 + bodyLen: body signature (for X509 formats) 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle (for X509 formats) 0x680 + bodyLen + footerCertLen: end of file. The body signature is always 0x80 bytes long, and its length is not counted into bodyLen or footerCertLen. A few assertions should hold for non-Touch iPods: # File size == $header_size + bodyLen + footerCertLen + 0x80 # dataLen = bodyLen + 0x80 + footerCertLen It is worth noting that for early iOS devices, dataLen is actually the offset to the body signature. It is unknown why Apple has changed this to the data length. === Encryption/Signature Formats === {| class="wikitable" |- ! Format (number) !! Header signed (SHA1+AES) !! Body encrypted !! Body signed (X509/RSA) !! AES Operation !! Notes |- | SIGNED_ENCRYPTED (1) || ✅ || ✅ || ❌ || Encryption, Global/GID Key || Not accepted in 2.0. |- | SIGNED (2) || ✅ || ❌ || ❌ || Encryption, Global/GID Key || Not accepted in 2.0. |- | X509_SIGNED_ENCRYPTED (3) || ✅ || ✅ || ✅|| Decryption, Global/GID Key || Most (all?) released images have this type |- | X509_SIGNED (4) || ✅ || ❌ || ✅ || Decryption, Global/GID Key || |} DFU mode in N3G, N4G, N5G seems only accepts X509_SIGNED_ENCRYPTED. Other boot modes (notably in N3G) seem to accept other formats, but that's to be verified. N4G+/2.0 do not accept any non-X509 formats. === Differences between v1.0 and 2.0 === Nano4G+ use 2.0. Everything else uses 1.0. 1.0 bootroms supports encryption formats 1, 2, 3 and 4. 2.0 only supports encryption formats 3 and 4. When uploading IMG1 images via DFU, 1.0 images need to be suffixed with a CRC32 of their content. 2.0 images don't need the CRC32. === Differences between iBoot/SecureROM and iPod images === The iPod images do not use 'Key 0x837', and in fact use the Global/GID key for all AES operations. The iPod images are sometimes decrypted using the encrypt direction of the AES engine (formats 1 and 2) and sometimes with the decrypt direction of the AES engine (formats 3 and 4). iBoot/SecureROM images seem to all use the decrypt direction. === Leftover SHA in header === It seems like whatever generates IMG1 images does so in the following pseudocode: sha1(src=data, srcLen=0x40, dst=data+0x40) aes(src=data+0x40, size=0x10) // data is ready, ship it! As after the 0x10 bytes of the AES-encrypted SHA1 signature, there are 4 bytes of unencrypted SHA1 (because a SHA1 digest is 0x14 bytes, while an AES128 block is 0x10 bytes). This means that you can check the header signature yourself (or, well, 32 bits of the signature) by performing the following: sha1(data[0:0x40]).digest()[-4:] == data[0x50:0x54] This has likely zero security implications, but is nonetheless a fascinating curiosity. === Verification Routine === There are 2 signatures that may be verified, those being the header signature and the body signature. The header signature in full may be verified by taking the SHA1 digest of data[0:0x40], encrypting it with the Global/GID key, and comparing it with the header signature. The body signature may be verified by first finding the leaf certificate, taking the public key from it, then verifying the body signature with the body data (defined as data[bodyPad:bodyPad + bodyLen]) and the public key. === Parsing Decrypted IMG1 Files === With the development of the [[wInd3x]] exploit and its [https://github.com/freemyipod/wInd3x implementation] it has become possible to decrypt IMG1 files on the [[Nano_4G|iPod Nano 4g]] and [[Nano_5G|iPod Nano 5g]]. The [[Nano_4G|iPod Nano 4g]] has two separate sets of firmware available, firmware intended to interface with the [[Nano_4G|iPod Nano 4g]] hardware through DFU mode to assist with the restoration of the iPod to factory settings and the general retail firmware that is intended to be used by the consumer. Both sets of firmware can be obtained by following the links available [https://itunes.apple.com/WebObjects/MZStore.woa/wa/com.apple.jingle.appserver.client.MZITunesClientCheck/version?touchUpdate=true here]. In particular the `x12250000_Recovery.ipsw` file contains the WTF firmware (WTF.x1225.release.dfu) that interacts with DFU mode and the `iPod_31.1.0.4.ipsw` contains the bootloader (N58s.bootloader.release.rb3) and the rest of the [[RetailOS]]. To assist with development for the Nano 4G hardware, it is important to understand the drivers that are included in these IMG1 files. These drivers are included as part of the (U)EFI image that is contained within the IMG1 file. For the nano4g, the first 0x700 bytes of the IMG1 contains a header that is discussed above. The rest of the file contains a what seems to be a UEFI firmware partition. Some of the information about UEFI firmware from the [https://en.wikipedia.org/wiki/UEFI Wikipedia page] seems relevant to understand this partition as well as the [https://wiki.osdev.org/UEFI OS Dev wiki page on UEFI development], which discusses UEFI applications and seems to be the format for some of the files included within the IMG1 volume. Using The uefi-firmware-parser package [https://github.com/theopolis/uefi-firmware-parser available here], it is possible to extract the files in this EFI volume. The files in the partition can be extracted by removing the first 0x700 bytes (Nano 4g) of the decrypted IMG1 file. This can be done with a hex editor or other tools. Furthermore, this step can be skipped if the option `-b` is used below. It is also recommended to setup a separate Conda environment to use with this tool. The files can be extracted as follows: uefi-firmware-parser -o out/ -e decrypted_efi_firmware_filename_here The benefit of this approach is this will extracted all drivers included in the EFI firmware volume and also decompress each driver. The next step in the process is to identify the function of each driver. For this Apple was helpful enough to not strip out the name of each driver inside each driver file. The mapping from the file GUIDs to their functions can be recovered in many ways, but here is a simple script to print out the mapping: for ii in `find out/ | grep "\.pe"`; do echo $ii | cut -d '/' -f 3 | cut -d '-' -f 2-; strings $ii | tail -n 1 | rev | cut -d '/' -f 1 | rev| cut -d '.' -f 1; echo; done There is an addition .te file that contains the executable code that is jumped to from Secure Boot. The extracted firmware PE files will contain a valid PE file header and will begin with the "MZ" magic bytes. It may be helpful to use [https://github.com/blackberry/pe_tree PE Tree] to parse these headers and inspect these files. Manual inspection with a hex editor can be done as well. Some information about PE file headers is available [https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#section-table-section-headers here]. The above instructions assume a Nano 4g IMG1 WTF file or Bootloader. See [https://github.com/freemyipod/defs/blob/main/efi.py here] for more information about the Nano 5g IMG1 structure. 2750b8a7ee88e5d5b687b8c2a954dcacc69822db 22054 22052 2023-10-12T15:44:37Z Revo 6238 fixed extra space wikitext text/x-wiki == Introduction == IMG1 is a pseudonym for the image format used by early iOS devices and all S5L-based iPods. It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF). The iPhone Wiki has some basic [https://www.theiphonewiki.com/wiki/S5L_File_Formats#8900 information about the format]. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. Here we describe the known usage of IMG1, including its 2.0 version, in clickwheel iPods and non-iBoot bootroms. == Header Format == struct IMG1 { u8 magic[4]; // 0x0, SoC digits, eg. `8720`. u8 version[3]; // 0x4, `1.0` or `2.0` u8 format; // 0x7, Encryption/signature format. See below. u32 entrypoint; // 0x8, Offset to jump to within body (after header). u32 bodyLen; // 0xC, Size of the image body, ie. the data loaded into memory, before the // signature/certificates start, after the header. u32 dataLen; // 0x10, Size of everything that's not the header (body + signature + certificates). u32 footerCertOffset; // 0x14, Offset of certificate start (after header). u32 footerCertLen; // 0x18, Size of certificate bundle. u8 salt[32]; // 0x1C, Random data. u16 unk1; // 0x3C u16 unk2; // 0x3E, Security epoch? u8 headerSign[16]; // 0x40, AES-encrypted SHA1 signature of everything up to headerSign. u8 headerLeftover[4]; // 0x50, Last four bytes of unencrypted SHA1, usually leftover in images, but not // checked by firmware. Curiosity. } The body is padded to either 0x800 (S5L8900 (iOS)/S5L8702), 0x600 (S5L8720/S5L8930) or 0x400 (S5L8723/S5L8740) bytes. The different sections are a bit tricky to reason about, here's an attempted overview: 0: Header (0x40 + 0x14 bytes, first 0x40 signed into last 0x14 bytes) 0x54: Padding until $header_size (magic dependent, 0x600 in this example) 0x600: Body, bodyLen bytes. ... 0x600 + bodyLen: body signature (for X509 formats) 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle (for X509 formats) 0x680 + bodyLen + footerCertLen: end of file. The body signature is always 0x80 bytes long, and its length is not counted into bodyLen or footerCertLen. A few assertions should hold for non-Touch iPods: # File size == $header_size + bodyLen + footerCertLen + 0x80 # dataLen = bodyLen + 0x80 + footerCertLen It is worth noting that for early iOS devices, dataLen is actually the offset to the body signature. It is unknown why Apple has changed this to the data length. === Encryption/Signature Formats === {| class="wikitable" |- ! Format (number) !! Header signed (SHA1+AES) !! Body encrypted !! Body signed (X509/RSA) !! AES Operation !! Notes |- | SIGNED_ENCRYPTED (1) || ✅ || ✅ || ❌ || Encryption, Global/GID Key || Not accepted in 2.0. |- | SIGNED (2) || ✅ || ❌ || ❌ || Encryption, Global/GID Key || Not accepted in 2.0. |- | X509_SIGNED_ENCRYPTED (3) || ✅ || ✅ || ✅|| Decryption, Global/GID Key || Most (all?) released images have this type |- | X509_SIGNED (4) || ✅ || ❌ || ✅ || Decryption, Global/GID Key || |} DFU mode in N3G, N4G, N5G seems only accepts X509_SIGNED_ENCRYPTED. Other boot modes (notably in N3G) seem to accept other formats, but that's to be verified. N4G+/2.0 do not accept any non-X509 formats. === Differences between v1.0 and 2.0 === Nano4G+ use 2.0. Everything else uses 1.0. 1.0 bootroms supports encryption formats 1, 2, 3 and 4. 2.0 only supports encryption formats 3 and 4. When uploading IMG1 images via DFU, 1.0 images need to be suffixed with a CRC32 of their content. 2.0 images don't need the CRC32. === Differences between iBoot/SecureROM and iPod images === The iPod images do not use 'Key 0x837', and in fact use the Global/GID key for all AES operations. The iPod images are sometimes decrypted using the encrypt direction of the AES engine (formats 1 and 2) and sometimes with the decrypt direction of the AES engine (formats 3 and 4). iBoot/SecureROM images seem to all use the decrypt direction. === Leftover SHA in header === It seems like whatever generates IMG1 images does so in the following pseudocode: sha1(src=data, srcLen=0x40, dst=data+0x40) aes(src=data+0x40, size=0x10) // data is ready, ship it! As after the 0x10 bytes of the AES-encrypted SHA1 signature, there are 4 bytes of unencrypted SHA1 (because a SHA1 digest is 0x14 bytes, while an AES128 block is 0x10 bytes). This means that you can check the header signature yourself (or, well, 32 bits of the signature) by performing the following: sha1(data[0:0x40]).digest()[-4:] == data[0x50:0x54] This has likely zero security implications, but is nonetheless a fascinating curiosity. === Verification Routine === There are 2 signatures that may be verified, those being the header signature and the body signature. The header signature in full may be verified by taking the SHA1 digest of data[0:0x40], encrypting it with the Global/GID key, and comparing it with the header signature. The body signature may be verified by first finding the leaf certificate, taking the public key from it, then verifying the body signature with the body data (defined as data[bodyPad:bodyPad + bodyLen]) and the public key. === Parsing Decrypted IMG1 Files === With the development of the [[wInd3x]] exploit and its [https://github.com/freemyipod/wInd3x implementation] it has become possible to decrypt IMG1 files on the [[Nano_4G|iPod Nano 4g]] and [[Nano_5G|iPod Nano 5g]]. The [[Nano_4G|iPod Nano 4g]] has two separate sets of firmware available, firmware intended to interface with the [[Nano_4G|iPod Nano 4g]] hardware through DFU mode to assist with the restoration of the iPod to factory settings and the general retail firmware that is intended to be used by the consumer. Both sets of firmware can be obtained by following the links available [https://itunes.apple.com/WebObjects/MZStore.woa/wa/com.apple.jingle.appserver.client.MZITunesClientCheck/version?touchUpdate=true here]. In particular the `x12250000_Recovery.ipsw` file contains the WTF firmware (WTF.x1225.release.dfu) that interacts with DFU mode and the `iPod_31.1.0.4.ipsw` contains the bootloader (N58s.bootloader.release.rb3) and the rest of the [[RetailOS]]. To assist with development for the Nano 4G hardware, it is important to understand the drivers that are included in these IMG1 files. These drivers are included as part of the (U)EFI image that is contained within the IMG1 file. For the nano4g, the first 0x700 bytes of the IMG1 contains a header that is discussed above. The rest of the file contains a what seems to be a UEFI firmware partition. Some of the information about UEFI firmware from the [https://en.wikipedia.org/wiki/UEFI Wikipedia page] seems relevant to understand this partition as well as the [https://wiki.osdev.org/UEFI OS Dev wiki page on UEFI development], which discusses UEFI applications and seems to be the format for some of the files included within the IMG1 volume. Using The uefi-firmware-parser package [https://github.com/theopolis/uefi-firmware-parser available here], it is possible to extract the files in this EFI volume. The files in the partition can be extracted by removing the first 0x700 bytes (Nano 4g) of the decrypted IMG1 file. This can be done with a hex editor or other tools. Furthermore, this step can be skipped if the option `-b` is used below. It is also recommended to setup a separate Conda environment to use with this tool. The files can be extracted as follows: uefi-firmware-parser -o out/ -e decrypted_efi_firmware_filename_here The benefit of this approach is this will extracted all drivers included in the EFI firmware volume and also decompress each driver. The next step in the process is to identify the function of each driver. For this Apple was helpful enough to not strip out the name of each driver inside each driver file. The mapping from the file GUIDs to their functions can be recovered in many ways, but here is a simple script to print out the mapping: for ii in `find out/ | grep "\.pe"`; do echo $ii | cut -d '/' -f 3 | cut -d '-' -f 2-; strings $ii | tail -n 1 | rev | cut -d '/' -f 1 | rev| cut -d '.' -f 1; echo; done There is an addition .te file that contains the executable code that is jumped to from Secure Boot. The extracted firmware PE files will contain a valid PE file header and will begin with the "MZ" magic bytes. It may be helpful to use [https://github.com/blackberry/pe_tree PE Tree] to parse these headers and inspect these files. Manual inspection with a hex editor can be done as well. Some information about PE file headers is available [https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#section-table-section-headers here]. The above instructions assume a Nano 4g IMG1 WTF file or Bootloader. See [https://github.com/freemyipod/defs/blob/main/efi.py here] for more information about the Nano 5g IMG1 structure. 221d04864cf486dfa4cef6661d8e375b49f36543 2 6441 22037 2023-04-18T03:03:32Z Plzdonthaxme 6236 Created page with "Hi! I'm plx, and I'm interested in Apple's products and softwares. My socials are [https://twitter.com/plzdonthaxme @plzdonthaxme] on Twitter, @plzdonthaxme:matrix.org on Matr..." wikitext text/x-wiki Hi! I'm plx, and I'm interested in Apple's products and softwares. My socials are [https://twitter.com/plzdonthaxme @plzdonthaxme] on Twitter, @plzdonthaxme:matrix.org on Matrix, or [https://mastodon.social/@plzdonthaxme @plzdonthaxme@mastodon.social] on Mastodon. f4abc0f783523d52b32ed1ac6617a33ddbab8e42 0 6442 22038 2023-09-11T21:44:55Z Iscle 6237 Created page with "== Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC). == Peripherals == An overview of the peripherals of the SoC, describing the base ad..." wikitext text/x-wiki == Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC). == Peripherals == An overview of the peripherals of the SoC, describing the base address and registers for each one. === SPI === {| class="wikitable" |- ! SPI !! Base address |- | SPI0 || 0x3c300000 |- | SPI1 || 0x3ce00000 |- | SPI2 || 0x3d200000 |} ==== Registers ==== {| class="wikitable" ! Register Name ! Offset ! Description ! Note |- | SPICTRL | 0x00 | | |- | SPISETUP | 0x04 | | |- | SPISTATUS | 0x08 | | |- | SPIPIN | 0x0c | | |- | SPITXDATA | 0x10 | | |- | SPIRXDATA | 0x20 | | |- | SPICLKDIV | 0x30 | | |- | SPIRXLIMIT | 0x34 | | |} ==== SPICTRL ==== {| class="wikitable" ! Name ! Bit ! Type ! Description | Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} fcb184091cf75c404649f64d17068165ae560dc7 22039 22038 2023-09-11T21:45:16Z Iscle 6237 wikitext text/x-wiki == Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC). == Peripherals == An overview of the peripherals of the SoC, describing the base address and registers for each one. === SPI === {| class="wikitable" |- ! SPI !! Base address |- | SPI0 || 0x3c300000 |- | SPI1 || 0x3ce00000 |- | SPI2 || 0x3d200000 |} ==== Registers ==== {| class="wikitable" ! Register Name ! Offset ! Description ! Note |- | SPICTRL | 0x00 | | |- | SPISETUP | 0x04 | | |- | SPISTATUS | 0x08 | | |- | SPIPIN | 0x0c | | |- | SPITXDATA | 0x10 | | |- | SPIRXDATA | 0x20 | | |- | SPICLKDIV | 0x30 | | |- | SPIRXLIMIT | 0x34 | | |} ==== SPICTRL ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} d77fe550e0357a827a2c4dd7e3e71d15d97660ac 22040 22039 2023-09-11T21:51:19Z Iscle 6237 wikitext text/x-wiki == Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC). == Peripherals == An overview of the peripherals of the SoC, describing the base address and registers for each one. === SPI === {| class="wikitable" |- ! SPI !! Base address |- | SPI0 || 0x3c300000 |- | SPI1 || 0x3ce00000 |- | SPI2 || 0x3d200000 |} ==== Registers ==== {| class="wikitable" ! Register Name ! Offset ! Description ! Note |- | SPICTRL | 0x00 | | |- | SPISETUP | 0x04 | | |- | SPISTATUS | 0x08 | | |- | SPIPIN | 0x0c | | |- | SPITXDATA | 0x10 | | |- | SPIRXDATA | 0x20 | | |- | SPICLKDIV | 0x30 | | |- | SPIRXLIMIT | 0x34 | | |} ==== SPICTRL ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} ==== SPISETUP ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} ==== SPISTATUS ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPIPIN ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPITXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R?/W | Data to be sent by the SPI peripheral | |} ==== SPIRXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R/W? | Data received by the SPI peripheral | |} ==== SPICLKDIV ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | CLKDIV | 10:0 | R?/W | | |} ==== SPIRXLIMIT ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} 46cec541bfb2280bc831331e8ba82d6bc6871121 22041 22040 2023-09-11T21:53:24Z Iscle 6237 wikitext text/x-wiki == Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC). == Peripherals == An overview of the peripherals of the SoC, describing the base address and registers for each one. === SPI === {| class="wikitable" |- ! SPI !! Base address |- | SPI0 || 0x3c300000 |- | SPI1 || 0x3ce00000 |- | SPI2 || 0x3d200000 |} ==== Registers ==== {| class="wikitable" ! Register Name ! Offset ! Description ! Note |- | SPICTRL | 0x00 | | |- | SPISETUP | 0x04 | | |- | SPISTATUS | 0x08 | | |- | SPIPIN | 0x0c | | |- | SPITXDATA | 0x10 | | |- | SPIRXDATA | 0x20 | | |- | SPICLKDIV | 0x30 | | |- | SPIRXLIMIT | 0x34 | | |} ==== SPICTRL ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} ==== SPISETUP ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | RW | 0 | R?/W | | Set to 1 for RX, 0 for TX |} ==== SPISTATUS ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPIPIN ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPITXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R?/W | Data to be sent by the SPI peripheral | |} ==== SPIRXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R/W? | Data received by the SPI peripheral | |} ==== SPICLKDIV ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | CLKDIV | 10:0 | R?/W | | |} ==== SPIRXLIMIT ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} 28af5852950db6162148c094bfa1c211d294fb2f 22042 22041 2023-09-11T21:54:23Z Iscle 6237 wikitext text/x-wiki == Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC).<br> '''NOTE:''' All information provided here has been obtained by reverse engineering and is not guaranteed to be accurate. == Peripherals == An overview of the peripherals of the SoC, describing the base address and registers for each one. === SPI === {| class="wikitable" |- ! SPI !! Base address |- | SPI0 || 0x3c300000 |- | SPI1 || 0x3ce00000 |- | SPI2 || 0x3d200000 |} ==== Registers ==== {| class="wikitable" ! Register Name ! Offset ! Description ! Note |- | SPICTRL | 0x00 | | |- | SPISETUP | 0x04 | | |- | SPISTATUS | 0x08 | | |- | SPIPIN | 0x0c | | |- | SPITXDATA | 0x10 | | |- | SPIRXDATA | 0x20 | | |- | SPICLKDIV | 0x30 | | |- | SPIRXLIMIT | 0x34 | | |} ==== SPICTRL ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} ==== SPISETUP ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | RW | 0 | R?/W | | Set to 1 for RX, 0 for TX |} ==== SPISTATUS ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPIPIN ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPITXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R?/W | Data to be sent by the SPI peripheral | |} ==== SPIRXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R/W? | Data received by the SPI peripheral | |} ==== SPICLKDIV ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | CLKDIV | 10:0 | R?/W | | |} ==== SPIRXLIMIT ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} e4e7712587c5cb9125b8efc4dbb2e5517e9c357b 22043 22042 2023-09-11T21:56:35Z Iscle 6237 /* SPISETUP */ wikitext text/x-wiki == Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC).<br> '''NOTE:''' All information provided here has been obtained by reverse engineering and is not guaranteed to be accurate. == Peripherals == An overview of the peripherals of the SoC, describing the base address and registers for each one. === SPI === {| class="wikitable" |- ! SPI !! Base address |- | SPI0 || 0x3c300000 |- | SPI1 || 0x3ce00000 |- | SPI2 || 0x3d200000 |} ==== Registers ==== {| class="wikitable" ! Register Name ! Offset ! Description ! Note |- | SPICTRL | 0x00 | | |- | SPISETUP | 0x04 | | |- | SPISTATUS | 0x08 | | |- | SPIPIN | 0x0c | | |- | SPITXDATA | 0x10 | | |- | SPIRXDATA | 0x20 | | |- | SPICLKDIV | 0x30 | | |- | SPIRXLIMIT | 0x34 | | |} ==== SPICTRL ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} ==== SPISETUP ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | RW | 0 | R?/W | | 0 = TX<br>1 = RX |} ==== SPISTATUS ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPIPIN ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPITXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R?/W | Data to be sent by the SPI peripheral | |} ==== SPIRXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R/W? | Data received by the SPI peripheral | |} ==== SPICLKDIV ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | CLKDIV | 10:0 | R?/W | | |} ==== SPIRXLIMIT ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} 20cb57cd3f61afce53933489bb956b4243ecfc57 22045 22043 2023-09-11T23:01:28Z Iscle 6237 wikitext text/x-wiki == Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC).<br> '''NOTE:''' All information provided here has been obtained by reverse engineering and is not guaranteed to be accurate. == Peripherals == An overview of the peripherals of the SoC, describing the base address and registers for each one. === SPI === {| class="wikitable" |- ! SPI !! Base address |- | SPI0 || 0x3c300000 |- | SPI1 || 0x3ce00000 |- | SPI2 || 0x3d200000 |} ==== Registers ==== {| class="wikitable" ! Register Name ! Offset ! Description ! Note |- | SPICTRL | 0x00 | | |- | SPISETUP | 0x04 | | |- | SPISTATUS | 0x08 | | |- | SPIPIN | 0x0c | | |- | SPITXDATA | 0x10 | | |- | SPIRXDATA | 0x20 | | |- | SPICLKDIV | 0x30 | | |- | SPIRXLIMIT | 0x34 | | |} ==== SPICTRL ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} ==== SPISETUP ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | RW | 0 | R?/W | | 0 = TX<br>1 = RX |} ==== SPISTATUS ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPIPIN ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPITXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R?/W | Data to be sent by the SPI peripheral | |} ==== SPIRXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R/W? | Data received by the SPI peripheral | |} ==== SPICLKDIV ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | CLKDIV | 10:0 | R?/W | | |} ==== SPIRXLIMIT ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} === JPEG Decoder === Base address: 0x3d100000 ab877325faf22b69f3f488dea6f7816033f19cb0 22046 22045 2023-09-11T23:09:10Z Iscle 6237 /* JPEG Decoder */ wikitext text/x-wiki == Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC).<br> '''NOTE:''' All information provided here has been obtained by reverse engineering and is not guaranteed to be accurate. == Peripherals == An overview of the peripherals of the SoC, describing the base address and registers for each one. === SPI === {| class="wikitable" |- ! SPI !! Base address |- | SPI0 || 0x3c300000 |- | SPI1 || 0x3ce00000 |- | SPI2 || 0x3d200000 |} ==== Registers ==== {| class="wikitable" ! Register Name ! Offset ! Description ! Note |- | SPICTRL | 0x00 | | |- | SPISETUP | 0x04 | | |- | SPISTATUS | 0x08 | | |- | SPIPIN | 0x0c | | |- | SPITXDATA | 0x10 | | |- | SPIRXDATA | 0x20 | | |- | SPICLKDIV | 0x30 | | |- | SPIRXLIMIT | 0x34 | | |} ==== SPICTRL ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} ==== SPISETUP ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | RW | 0 | R?/W | | 0 = TX<br>1 = RX |} ==== SPISTATUS ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPIPIN ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPITXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R?/W | Data to be sent by the SPI peripheral | |} ==== SPIRXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R/W? | Data received by the SPI peripheral | |} ==== SPICLKDIV ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | CLKDIV | 10:0 | R?/W | | |} ==== SPIRXLIMIT ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} === Chip ID === Base address: 0x3d100000 === JPEG Decoder === Base address: 0x39600000 === ATA === Base address: 0x38700000 === GPIO === Base address: 0x3cf00000 === System Controller === Base address: 0x3c500000 === WatchDog === Base address: 0x3c800000 === MIU === Base address: 0x38100000 === TIMER === Base address: 0x3c700000 === USB === OTG base address: 0x38400000 PHY base address: 0x3c400000 360a21a2f16176d30aede58c9aaa52e3397de227 22047 22046 2023-09-11T23:09:19Z Iscle 6237 /* USB */ wikitext text/x-wiki == Introduction == This page provides details on the Samsung S5L8702 System on Chip (SoC).<br> '''NOTE:''' All information provided here has been obtained by reverse engineering and is not guaranteed to be accurate. == Peripherals == An overview of the peripherals of the SoC, describing the base address and registers for each one. === SPI === {| class="wikitable" |- ! SPI !! Base address |- | SPI0 || 0x3c300000 |- | SPI1 || 0x3ce00000 |- | SPI2 || 0x3d200000 |} ==== Registers ==== {| class="wikitable" ! Register Name ! Offset ! Description ! Note |- | SPICTRL | 0x00 | | |- | SPISETUP | 0x04 | | |- | SPISTATUS | 0x08 | | |- | SPIPIN | 0x0c | | |- | SPITXDATA | 0x10 | | |- | SPIRXDATA | 0x20 | | |- | SPICLKDIV | 0x30 | | |- | SPIRXLIMIT | 0x34 | | |} ==== SPICTRL ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | Unk2 | 1 | R/W? | | Gets checked by the bootloader after clearing/setting ''Unk1'' |- | Unk1 | 0 | R?/W | | Gets cleared/set by the bootloader |} ==== SPISETUP ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | RW | 0 | R?/W | | 0 = TX<br>1 = RX |} ==== SPISTATUS ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPIPIN ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} ==== SPITXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R?/W | Data to be sent by the SPI peripheral | |} ==== SPIRXDATA ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | DATA | 7:0 | R/W? | Data received by the SPI peripheral | |} ==== SPICLKDIV ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |- | CLKDIV | 10:0 | R?/W | | |} ==== SPIRXLIMIT ==== {| class="wikitable" ! Name ! Bit ! Type ! Description ! Note |} === Chip ID === Base address: 0x3d100000 === JPEG Decoder === Base address: 0x39600000 === ATA === Base address: 0x38700000 === GPIO === Base address: 0x3cf00000 === System Controller === Base address: 0x3c500000 === WatchDog === Base address: 0x3c800000 === MIU === Base address: 0x38100000 === TIMER === Base address: 0x3c700000 === USB === OTG base address: 0x38400000<br> PHY base address: 0x3c400000 5d75498ac7395a2167518da84623261e5328205a 0 247 22044 3739 2023-09-11T21:57:13Z Iscle 6237 /* Components */ wikitext text/x-wiki [[Image:Front_3g.jpg|500px]] [[Image:Back_3g.jpg|500px]] iPod classic MC293, 160GB, silver No better teardown pictures of the Classic 3G have been found or made by us yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ a basic guide of the non-electronic differences] by iLounge. Since the model number is the same as the [[Classic 2G]], there probably aren't any worthwhile (if any) in the hardware. ==Terminology== By iPod classic 3g we mean the re-introduced 160GB version of the classic which was announced on September 9 2009. It is the same size as the [[Classic 2G]]. ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 3 | CPU | [https://freemyipod.org/wiki/S5L8702 Samsung S5L8702] |337S3526 8702 N26P9U4 1011 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G |- | 2 | SDRAM | K4X51163PE | | |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | | Same as on the Nano 3G |- | 4 | Audio codec | [http://www.cirrus.com/en/pubs/proDatasheet/CS42L55_F1.pdf Cirrus Logic CS42L55] | APPLE 338S0394 AICK0952 MAL | |- | 1 | Power manager | NXP PCF50635 | APPLE 338S0445 78030 82 D780113 | |- | 6 | USB charging | LTC4066 |4066T 84453 | |} 9f8237eab9ba88f8f115ff2817b1a3d3e9f363d1 0 56 22053 21930 2023-10-11T21:18:25Z Revo 6238 /* Nano 4G */ wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== [[OSOS]] is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the Nano 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image ** ''chrg'' - Same as lbat but showing that the iPod is charging In addition, the Nano 4G contains a bootloader file within the firmware ipsw called ''N58s.bootloader.release.rb3''. These firmware files can be decrypted by treating them as [[IMG1]] files. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 1483538b8a8278ebad860e9e34c3b6c0e98c7d22 22055 22053 2023-10-12T18:22:53Z Revo 6238 included details about DFU firmware and made a note about the Nano 5G. wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== [[OSOS]] is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the Nano 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image ** ''chrg'' - Same as lbat but showing that the iPod is charging The Nano 4G firmware IPSW contains an additional bootloader file called ''N58s.bootloader.release.rb3'', which is not present in previous iPod Nano generations. These files can be decrypted by treating them as [[IMG1]] files. Furthermore, two sets of special firmware also exist. ''x12250000_Recovery.ipsw'' is downloaded and the ''WTF.x1225.release.dfu'' is loaded when the iPod is found in DFU mode. Furthermore, another file exists in ''x12430000_Recovery.ipsw'', called ''FIRMWARE.x1243.release.dfu''. ==Nano 5G== The iPod Nano 5G has the same firmware above. However, the two special firmware files are ''x12310000_Recovery.ipsw'' (loaded in DFU mode) and ''x12460000_Recovery.ipsw''. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware fd42b8b54d7f8ede06beb0f8a1d203e5ec0b36b7 22056 22055 2023-10-12T18:23:05Z Revo 6238 /* Nano 4G */ wikitext text/x-wiki This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful. ==Nano 2G== ===osos=== [[OSOS]] is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G. [[Image:IN2G firmware osos header.png|thumb|caption]] [[Image:Firmware layout.png|150px]] ===aupd=== Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G: [[Image:IN2G firmware aupd header.png|thumb|caption]] [[Image:IN2G cipher aupd diffs.png|500px]] ===rsrc=== This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project. ==Nano 3G== The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF. ==Classic 1G (6G)== The Classic 1G has the same firmware structure as the Nano 3G. This makes sense because they were released at the same time. ==Nano 4G== The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added: * Binaries ** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly. ** ''disk'' - Disk mode * Bitmaps ** ''appl'' - Apple logo for booting ** ''bdhw'' - Bad hardware image ** ''bdsw'' - Bad software image (Use iTunes to restore) ** ''lbat'' - Low battery image ** ''chrg'' - Same as lbat but showing that the iPod is charging The Nano 4G firmware IPSW contains an additional bootloader file called ''N58s.bootloader.release.rb3'', which is not present in previous iPod Nano generations. These files can be decrypted by treating them as [[IMG1]] files. Furthermore, two sets of special firmware also exist. ''x12250000_Recovery.ipsw'' is downloaded and the ''WTF.x1225.release.dfu'' is loaded when the iPod is found in DFU mode. Furthermore, another file exists in ''x12430000_Recovery.ipsw'', called ''FIRMWARE.x1243.release.dfu''. ==Nano 5G== The iPod Nano 5G has the same firmware above. However, the two special firmware files are ''x12310000_Recovery.ipsw'' (loaded in DFU mode) and ''x12460000_Recovery.ipsw''. ==Helpful pages== http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf http://www.ipodlinux.org/wiki/Firmware 87b4c55eafc7f395864983c0c0e8c0bc767e5bd2 0 6443 22057 2023-10-18T22:23:27Z Q3k 6232 Created page with "The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs..." wikitext text/x-wiki The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs == '''SoC''': S5L8729 '''Flash''': Usually desoldered '''DRAM''': To be checked == UART == The boards has at least two ways to access UART: # Over DE9 connector. # Over USB/Serial bridge. # Over 30-pin connector. '''TODO''': Figure out which serial is which, and document reanimating DE9/USB. == Power == The board runs from either the 30-pin connector by itself (although it can sometimes be unstable) or from 5V over a DC power jack (which provides a 4v-ish supply which simulates the devices' battery). == JTAG == [[JTAG]] is available over the 30 pin connector, but is also seemingly locked out as on production devices. == Getting code to run == [[wInd3x]] works on the device. On devices without Flash attempting to run the standard WTF causes a reset. == Differences from production device == So far, it seems like the SoC present on the board is no different from production SoCs. == Pins == As the board has clearly labeled and accessible GPIO pins / configuration straps, it's a good candidate to reverse engineer pin functionality as used in the production device. {| class="wikitable" |- ! S5L8720 GPIO !! Function on board |- | 91 || 'DFU' button |} 0b681a1897e824a64ee778e1610cbc371803f20a 22058 22057 2023-10-18T22:25:35Z Q3k 6232 wikitext text/x-wiki The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs == '''SoC''': S5L8729 '''Flash''': Usually desoldered '''DRAM''': To be checked == UART == The boards has at least two ways to access UART: # Over DE9 connector. # Over USB/Serial bridge. # Over 30-pin connector. '''TODO''': Figure out which serial is which, and document reanimating DE9/USB. == Power == The board runs from either the 30-pin connector by itself (although it can sometimes be unstable) or from 5V over a DC power jack (which provides a 4v-ish supply which simulates the devices' battery). == JTAG == [[JTAG]] is available over the 30 pin connector, but is also seemingly locked out as on production devices. == Getting code to run == [[wInd3x]] works on the device. On devices without Flash attempting to run the standard WTF causes a reset. == Differences from production device == So far, it seems like the SoC present on the board is no different from production SoCs. === CHIPID === Seems like a perfectly standard S5L8720: <pre> 3d100000: 0100 0000 0100 0011 0f18 2087 104f 6d76 .......... ..Omv 3d100010: d700 0000 0300 0000 0000 0000 0000 0000 ................ </pre> == Pins == As the board has clearly labeled and accessible GPIO pins / configuration straps, it's a good candidate to reverse engineer pin functionality as used in the production device. {| class="wikitable" |- ! S5L8720 GPIO !! Function on board |- | 91 || 'DFU' button |} acc92484b82bb310aa8a0098d05b82446783588b 22060 22058 2023-10-27T15:26:03Z Q3k 6232 wikitext text/x-wiki The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs == '''SoC''': S5L8729 '''Flash''': Usually desoldered '''DRAM''': To be checked == UART == The boards has at least two ways to access UART: # Over DE9 connector. # Over USB/Serial bridge. # Over 30-pin connector. '''TODO''': Figure out which serial is which, and document reanimating DE9/USB. == Power == The board runs from either the 30-pin connector by itself (although it can sometimes be unstable) or from 5V over a DC power jack (which provides a 4v-ish supply which simulates the devices' battery). == JTAG == [[JTAG]] is available over the 30 pin connector, but is also seemingly locked out as on production devices. == Getting code to run == [[wInd3x]] works on the device. On devices without Flash attempting to run the standard WTF causes a reset. == Differences from production device == === CHIPID === Different CHIPIDL/H values are present in the CHIPID peripheral: {| class="wikitable" |- ! SoC !! CHIPIDL (<code>0x3d100_0004</code>) !! CHIPIDH (<code>0x3d100_0008</code>) |- | Nano 4G || <code>19000011</code> || <code>8720000f</code> |- | 920-0614-03 || <code>11000001</code> || <code>8720180f</code> |} Effects: # <code>CHIPIDL & 10 == 0</code>: The BootROM accepts an additional top-level serial: 0x01 0xFB '''0x00''' 0xFB in addition to the standard 0x01 0xFB '''0x01''' 0xFB == Pins == As the board has clearly labeled and accessible GPIO pins / configuration straps, it's a good candidate to reverse engineer pin functionality as used in the production device. {| class="wikitable" |- ! S5L8720 GPIO !! Function on board |- | 91 || 'DFU' button |} 4044b97997a4da31724b4474e7abacf06b8e844a 22061 22060 2023-10-27T15:47:16Z Q3k 6232 /* Differences from production device */ wikitext text/x-wiki The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs == '''SoC''': S5L8729 '''Flash''': Usually desoldered '''DRAM''': To be checked == UART == The boards has at least two ways to access UART: # Over DE9 connector. # Over USB/Serial bridge. # Over 30-pin connector. '''TODO''': Figure out which serial is which, and document reanimating DE9/USB. == Power == The board runs from either the 30-pin connector by itself (although it can sometimes be unstable) or from 5V over a DC power jack (which provides a 4v-ish supply which simulates the devices' battery). == JTAG == [[JTAG]] is available over the 30 pin connector, but is also seemingly locked out as on production devices. == Getting code to run == [[wInd3x]] works on the device. On devices without Flash attempting to run the standard WTF causes a reset. == Differences from production device == === CHIPID === Different CHIPIDL/H values are present in the CHIPID peripheral: {| class="wikitable" |- ! SoC !! CHIPIDL (<code>0x3d100_0004</code>) !! CHIPIDH (<code>0x3d100_0008</code>) |- | Nano 4G || <code>19000011</code> || <code>8720000f</code> |- | 920-0614-03 || <code>11000001</code> || <code>8720180f</code> |} Effects: # <code>CHIPIDL & 0x10 == 0</code>: The BootROM accepts an additional top-level serial: 0x01 0xFB '''0x00''' 0xFB in addition to the standard 0x01 0xFB '''0x01''' 0xFB # <code>CHIPIDL & (1 << 27) == 1</code>: The WTF's ChipID[2] function returns 3 instead of 2 in *second argument. == Pins == As the board has clearly labeled and accessible GPIO pins / configuration straps, it's a good candidate to reverse engineer pin functionality as used in the production device. {| class="wikitable" |- ! S5L8720 GPIO !! Function on board |- | 91 || 'DFU' button |} ef7763b9b35d3fe197e91a9c858e2bd9c02c37fa 22062 22061 2023-10-27T15:49:41Z Q3k 6232 /* Differences from production device */ wikitext text/x-wiki The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs == '''SoC''': S5L8729 '''Flash''': Usually desoldered '''DRAM''': To be checked == UART == The boards has at least two ways to access UART: # Over DE9 connector. # Over USB/Serial bridge. # Over 30-pin connector. '''TODO''': Figure out which serial is which, and document reanimating DE9/USB. == Power == The board runs from either the 30-pin connector by itself (although it can sometimes be unstable) or from 5V over a DC power jack (which provides a 4v-ish supply which simulates the devices' battery). == JTAG == [[JTAG]] is available over the 30 pin connector, but is also seemingly locked out as on production devices. == Getting code to run == [[wInd3x]] works on the device. On devices without Flash attempting to run the standard WTF causes a reset. == Differences from production device == === CHIPID === Different CHIPIDL/H values are present in the CHIPID peripheral: {| class="wikitable" |- ! SoC !! CHIPIDL (<code>0x3d100_0004</code>) !! CHIPIDH (<code>0x3d100_0008</code>) |- | Nano 4G || <code>19000011</code> || <code>8720000f</code> |- | 920-0614-03 || <code>11000001</code> || <code>8720180f</code> |} Effects: # <code>CHIPIDL & 0x10 == 0</code>: The BootROM accepts an additional top-level serial: 0x01 0xFB '''0x00''' 0xFB in addition to the standard 0x01 0xFB '''0x01''' 0xFB # <code>CHIPIDL & (1 << 27) == 0</code>: The WTF's ChipID[2] function returns 2 instead of 3 in *second argument. == Pins == As the board has clearly labeled and accessible GPIO pins / configuration straps, it's a good candidate to reverse engineer pin functionality as used in the production device. {| class="wikitable" |- ! S5L8720 GPIO !! Function on board |- | 91 || 'DFU' button |} 3683a7e76bd9f62e08a038f35a73d36014bf1613 22063 22062 2023-10-27T16:56:48Z Q3k 6232 wikitext text/x-wiki The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs == '''SoC''': S5L8729 '''Flash''': Usually desoldered '''DRAM''': To be checked == UART == The boards has at least two ways to access UART: # Over DE9 connector. # Over USB/Serial bridge. # Over 30-pin connector. '''TODO''': Figure out which serial is which, and document reanimating DE9/USB. == Power == The board runs from either the 30-pin connector by itself (although it can sometimes be unstable) or from 5V over a DC power jack (which provides a 4v-ish supply which simulates the devices' battery). == JTAG == [[JTAG]] is available over the 30 pin connector, but is also seemingly locked out as on production devices. == Getting code to run == [[wInd3x]] works on the device. On devices without Flash attempting to run the standard WTF causes a reset. == Differences from production device == === CHIPID === Different CHIPIDL/H values are present in the CHIPID peripheral: {| class="wikitable" |- ! SoC !! CHIPIDL (<code>0x3d100_0004</code>) !! CHIPIDH (<code>0x3d100_0008</code>) |- | Nano 4G || <code>19000011</code> || <code>8720000f</code> |- | 920-0614-03 || <code>11000001</code> || <code>8720180f</code> |} Effects: # <code>CHIPIDL & 0x10 == 0</code>: The BootROM accepts an additional top-level serial: 0x01 0xFB '''0x00''' 0xFB in addition to the standard 0x01 0xFB '''0x01''' 0xFB # <code>CHIPIDL & (1 << 27) == 0</code>: The WTF's ChipID[2] function returns 2 instead of 3 in *second argument. == Pins == As the board has clearly labeled and accessible GPIO pins / configuration straps, it's a good candidate to reverse engineer pin functionality as used in the production device. {| class="wikitable" |- ! S5L8720 GPIO !! Function on board |- | 91 || 'DFU' button |} == Case == Protective case design: https://www.printables.com/model/628404-920-0614-03-ipod-nano-4g-prototype-case a442db230efcb1db5b7538d9975b25ded579713b 22073 22063 2024-05-04T14:42:08Z Q3k 6232 /* Pins */ wikitext text/x-wiki The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs == '''SoC''': S5L8729 '''Flash''': Usually desoldered '''DRAM''': To be checked == UART == The boards has at least two ways to access UART: # Over DE9 connector. # Over USB/Serial bridge. # Over 30-pin connector. '''TODO''': Figure out which serial is which, and document reanimating DE9/USB. == Power == The board runs from either the 30-pin connector by itself (although it can sometimes be unstable) or from 5V over a DC power jack (which provides a 4v-ish supply which simulates the devices' battery). == JTAG == [[JTAG]] is available over the 30 pin connector, but is also seemingly locked out as on production devices. == Getting code to run == [[wInd3x]] works on the device. On devices without Flash attempting to run the standard WTF causes a reset. == Differences from production device == === CHIPID === Different CHIPIDL/H values are present in the CHIPID peripheral: {| class="wikitable" |- ! SoC !! CHIPIDL (<code>0x3d100_0004</code>) !! CHIPIDH (<code>0x3d100_0008</code>) |- | Nano 4G || <code>19000011</code> || <code>8720000f</code> |- | 920-0614-03 || <code>11000001</code> || <code>8720180f</code> |} Effects: # <code>CHIPIDL & 0x10 == 0</code>: The BootROM accepts an additional top-level serial: 0x01 0xFB '''0x00''' 0xFB in addition to the standard 0x01 0xFB '''0x01''' 0xFB # <code>CHIPIDL & (1 << 27) == 0</code>: The WTF's ChipID[2] function returns 2 instead of 3 in *second argument. == Pins == As the board has clearly labeled and accessible GPIO pins / configuration straps, it's a good candidate to reverse engineer pin functionality as used in the production device. {| class="wikitable" |- ! S5L8720 GPIO !! Function on board |- | 91 || 'DFU' button |- | 2 || DB9 UART TX (J9205) |} == Case == Protective case design: https://www.printables.com/model/628404-920-0614-03-ipod-nano-4g-prototype-case a2bd0423bf0ef6a56c9df0b0869136cb0b87d9b1 22074 22073 2024-05-05T10:21:26Z Q3k 6232 /* Pins */ wikitext text/x-wiki The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs == '''SoC''': S5L8729 '''Flash''': Usually desoldered '''DRAM''': To be checked == UART == The boards has at least two ways to access UART: # Over DE9 connector. # Over USB/Serial bridge. # Over 30-pin connector. '''TODO''': Figure out which serial is which, and document reanimating DE9/USB. == Power == The board runs from either the 30-pin connector by itself (although it can sometimes be unstable) or from 5V over a DC power jack (which provides a 4v-ish supply which simulates the devices' battery). == JTAG == [[JTAG]] is available over the 30 pin connector, but is also seemingly locked out as on production devices. == Getting code to run == [[wInd3x]] works on the device. On devices without Flash attempting to run the standard WTF causes a reset. == Differences from production device == === CHIPID === Different CHIPIDL/H values are present in the CHIPID peripheral: {| class="wikitable" |- ! SoC !! CHIPIDL (<code>0x3d100_0004</code>) !! CHIPIDH (<code>0x3d100_0008</code>) |- | Nano 4G || <code>19000011</code> || <code>8720000f</code> |- | 920-0614-03 || <code>11000001</code> || <code>8720180f</code> |} Effects: # <code>CHIPIDL & 0x10 == 0</code>: The BootROM accepts an additional top-level serial: 0x01 0xFB '''0x00''' 0xFB in addition to the standard 0x01 0xFB '''0x01''' 0xFB # <code>CHIPIDL & (1 << 27) == 0</code>: The WTF's ChipID[2] function returns 2 instead of 3 in *second argument. == Pins == As the board has clearly labeled and accessible GPIO pins / configuration straps, it's a good candidate to reverse engineer pin functionality as used in the production device. {| class="wikitable" |- ! S5L8720 GPIO !! Function on board |- | 91 || 'DFU' button |- | 5 || DB9 UART TX (J9204) |} == Case == Protective case design: https://www.printables.com/model/628404-920-0614-03-ipod-nano-4g-prototype-case 05f9dcdd29d367c1e5f7f750deba6c8d8ac356b2 0 6426 22059 22022 2023-10-22T13:38:13Z Q3k 6232 wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'retailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == retailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer retailOS bugs trivial. === Boot chain === retailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, retailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == Analysis / Memory Layout == Loading RetailOS correctly into a decompiler/disassembler is tricky, as the contents of the IMG1 image are a binary blob which self-relocates to the correct places in memory. These are the memory segments within RetailOS that we know of (at least on Nano 5G): {| class="wikitable" |- ! Name !! Marker !! Location in memory !! Description |- | sram.text || n/a || SRAM 0x22000000 || SRAM-resident code, most of RTXC lives here. |- | sram.bss || n/a || SRAM 0x22030000 || SRAM-resident zero data. |- | sram.data || n/a || SRAM 0x22030000 + sram_bss_size || SRAM-resident data. |- | dram.textdata || hibe || DRAM 0x08000000 || Combined .text and .data which lives in DRAM. Bulk of code lives here. |- | dram.frameworks || miscTBD || DRAM 0x08000000 + dram_textdata_size || 'Framework' system of some kind, interfaces used by eApps. |- | dram.bss || n/a || DRAM 0x08000000 + dram_textdata_size + dram_frameworks_size || DRAM-resident zero data. |} And here's how the segments are built up within the RetailOS binary blob: {| class="wikitable" |- ! Address !! Name !! Size |- | Start || sram.text || sram_text_size |- | || sram.bss || sram_bss_size |- | || sram.data || sram_data_size |- | || dram.text || dram_text_size |- | End || dram.frameworks || dram_frameworks_size |} (yes, the firmware blob ships a sram.bss physically in the file) So the goal to be able to load the binary is to figure out the segment sizes and then load them into a decompiler/disassembler. Here, we'll show how to figure out the segment sizes for N5G. First, load the RetailOS body (without the header!) at 0x22000000 in a decompiler. We load it there (intead of into DRAM as it is done on the device) as the stub relocates to this address first by performing the SRAM .text/.data copies very early in the process, and the code is position independent for only a short time. Then, look at the start function (follow the reset vector): <pre> void start(void) { // 0x2200505c offs = relocation_offset(); /* ... peeks/pokes to bus matrix periph at 0x3ff00000 ... */ if (offs != 0) { relocate(offs); } (*0x22000000) = 0xea000007; zero_bss(); } </pre> relocation_offset will return 0 if the stub is already at 0x22000000, so will return 0 for the way we've loaded it. On a real device, this will be 0x22000000 - 0x08000000 == 0x1a000000, as the real device loads RetailOS into DRAM first. Thus, relocate() will be called: <pre> void relocate(int offs) { // 0x22005ec8 int iVar1 = -offs; void *blob_start = iVar1 + 0x22000000; memmove(0x22000000, blob_start, 0xe27c); // copy sram.text memzero(0x22000000 + 0xe27c, 0xbc4); // zero out sram.bss within blob memmove(0x22030000, 0x22000000 + 0xe27c + iVar1, 0x20000); // copy sram.bss + sram.data jump_offset(offs); memmove(0x08000000, 0x22000000 + 0xe27c + 0x20000 + iVar1, 0x6c3768); // copy dram.textdata memmove(0x08000000 + 0x6c3768, iVar1 + 0x22000000 + 0xe27c + 0x20000 + 0x6c3768), 0xc40); // copy dram.frameworks start(); return; } </pre> The above listing shows reconstituted address calculations - in a plain decompilation, all the additions will of course be simplified to a single constant. But you should be able to figure out the following: # sram_text_size is 0xe27c # sram_bss_size is 0xbc4 # sram_bss_size + sram_data_size is 0x20000 # dram_textdata_size is 0x6c3768 # dram_frameworks_size is 0xc40 Then, in zero_bss we can find the size of dram.bss: <pre> void zero_bss(void) { // 0x22005fec memzero(0x2200e27c, 0xbc4); // zero out sram.bss // inlined memzero: void *start = 0x08000000 + 0x6c3768 + 0xc40; int size = 0x790a84; // ... } </pre> From which we can figure out that the dram.bss segment size is 0x790a84. Thus we can load the file like so (combining sram.bss and sram.data) into a 'clean' decompiler/disassembler session: {| class="wikitable" |- ! Name !! Memory Address !! File Offset |- | sram.text || 0x22000000 || 0x00000000 |- | sram.bssdata || 0x22030000 || 0x0000e27c |- | dram.textdata || 0x08000000 || 0x0002e27c (0xe27c + 0x20000) |- | dram.frameworks || 0x086c3768 || 0x006f19e4 (0xe27c + 0x20000 + 0x6c3768) |- | dram.bss || 0x086c43a || n/a (0x790a84 zeroes) |} Writing an automated converter into ELF from arbitrary RetailOS blobs is an exercise left to the reader. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === While RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering retailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface. The dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code. Service functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking). The following table comes from cross-referencing retailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by retailOS and not built into the service dispatcher, at least on [[Nano 5G]]. === Semaphores === The following semaphores are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || <code>S_FW_PWR_CHANGE</code> || |- | 0x02 || <code>S_BAT_PWR_CHANGE</code> || |- | 0x03 || <code>S_USB_PWR_CHANGE</code> || |- | 0x04 || <code>S_CNA_CHANGE</code> || |- | 0x05 || <code>S_WHEEL_CHANGE</code> || |- | 0x06 || <code>S_DISKMGRQ</code> || |- | 0x07 || <code>S_TOPPLUG_SWITCH</code> || |- | 0x08 || <code>S_RTCTIMERMGR</code> || |- | 0x09 || <code>S_ALARM_01</code> || |- | 0x0a || <code>S_ALARM_02</code> || |- | 0x0b || <code>S_ALARM_03</code> || |- | 0x0c || <code>S_WATCHDOG</code> || |- | 0x0d || <code>S_CPUMGRQ</code> || |- | 0x0e || <code>S_PCFPOWERMGR</code> || |- | 0x0f || <code>S_POWER_STATE_AC</code> || |- | 0x10 || <code>S_CGR_STATE_TMR</code> || |- | 0x11 || <code>S_DEEPSLEEP</code> || |- | 0x12 || <code>S_ALARM_DONE</code> || |- | 0x13 || <code>S_PIEZOMGR</code> || |- | 0x14 || <code>S_PIEZOMGRSNDR</code> || |- | 0x15 || <code>S_PIEZODONE</code> || |- | 0x16 || <code>S_ACCPOWER</code> || |- | 0x17 || <code>S_ACC_REINIT</code> || |- | 0x18 || <code>S_TOPPLUGSENSER</code> || |- | 0x19 || <code>S_TOPPLUGCHANGE</code> || |- | 0x1a || <code>S_BTMCONNECT</code> || |- | 0x1b || <code>S_BTMPLUGCHANGE</code> || |- | 0x1c || <code>S_BTMREVERIFY</code> || |- | 0x1d || <code>S_BTMREVERTIMED</code> || |- | 0x1e || <code>S_BTMVERCOMP</code> || |- | 0x1f || <code>S_TOPACCPKTRCVD</code> || |- | 0x20 || <code>S_BTMACCPKTRCVD</code> || |- | 0x21 || <code>S_SERIALIDRCVD</code> || |- | 0x22 || <code>S_UARTATXEMPTY</code> || |- | 0x23 || <code>S_UARTBTXEMPTY</code> || |- | 0x24 || <code>S_HDDSCANCOMP</code> || |- | 0x25 || <code>S_BL_ON</code> || |- | 0x26 || <code>S_BL_OFF</code> || |- | 0x27 || <code>S_BL_RAMPDOWN</code> || |- | 0x28 || <code>S_BL_RAMPUP</code> || |- | 0x29 || <code>S_BL_TIMESUP</code> || |- | 0x2a || <code>S_BATT_TIMESUP</code> || |- | 0x2b || <code>S_BATT_AC_PWR</code> || |- | 0x2c || <code>S_BATT_TMR_RST</code> || |- | 0x2d || <code>S_GRAPHMGR</code> || |- | 0x2e || <code>S_VBL</code> || |- | 0x2f || <code>S_DTVRECOVERY</code> || |- | 0x30 || <code>S_CM_HEADPHONE</code> || |- | 0x31 || <code>S_CM_EXTPOWER</code> || |- | 0x32 || <code>S_CM_ACCATTACHED</code> || |- | 0x33 || <code>S_CM_DAC_SETUP</code> || |- | 0x34 || <code>S_ATAWRKLPRDY</code> || |- | 0x35 || <code>S_RTXCBUG</code> || |- | 0x36 || <code>S_BLOCKDEVICE</code> || |- | 0x37 || <code>S_BLOCKDEVICEQ</code> || |- | 0x38 || <code>S_DISPLAY</code> || |- | 0x39 || <code>S_ARB_READY</code> || |- | 0x3a || <code>S_I2C_DONE</code> || |- | 0x3b || <code>S_VSYNC</code> || |} There are three more semaphores (0x3c, 0x3d, 0x3e) that have no name defined and are likely unused. Anything 0x3f and up is a 'Dynamic' semaphore defined at runtime (which we haven't reversed yet). === Queues === The following queues are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || PIXORESQ || |- | 0x02 || PIXOSEMAQ || |- | 0x03 || POSIXRESQ || |- | 0x04 || POSIXSEMAQ || |} === Mailboxes === The following mailboxes are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || M_DISKMGR || |- | 0x02 || M_PIEZOMGR || |- | 0x03 || M_GRAPHMGR || |- | 0x04 || M_BLOCKDEVICE || |- | 0x05 || M_DISPLAY || |} === Resources === The following lockable resources are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || GPIO_REG_WRITE || |- | 0x02 || GPIO_INT_INIT || |- | 0x03 || RTC_TIME_ADJUST || |- | 0x04 || RTC_ALARM_ADJUST || |- | 0x05 || I2C_MASTER || |- | 0x06 || USB_GRANT || |- | 0x07 || USB_RESP_INIT || |- | 0x08 || USB_RESPONDER || |- | 0x09 || DISKPWRMGRSEND || |- | 0x0a || PIEZOMGRSEND || |- | 0x0b || SERIALVERIFIER || |- | 0x0c || RESISTORVERIFIER || |- | 0x0d || FW_IRAM || |- | 0x0e || ACCPOWER || |- | 0x0f || UARTA || |- | 0x10 || UARGB || |- | 0x11 || PMU_LOCK || |- | 0x12 || ADC_LOCK || |- | 0x13 || DTV_ENC_INIT || |- | 0x14 || BACKLIGHT || |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] f11e83cdbfa8dde8db10c47d283b45d04b081e8f 22075 22059 2024-05-09T19:31:34Z LemonJesus 6239 Un-dead the Twitter link talking about Pixo. wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'retailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == retailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://web.archive.org/web/20230224105131/https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer retailOS bugs trivial. === Boot chain === retailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, retailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == Analysis / Memory Layout == Loading RetailOS correctly into a decompiler/disassembler is tricky, as the contents of the IMG1 image are a binary blob which self-relocates to the correct places in memory. These are the memory segments within RetailOS that we know of (at least on Nano 5G): {| class="wikitable" |- ! Name !! Marker !! Location in memory !! Description |- | sram.text || n/a || SRAM 0x22000000 || SRAM-resident code, most of RTXC lives here. |- | sram.bss || n/a || SRAM 0x22030000 || SRAM-resident zero data. |- | sram.data || n/a || SRAM 0x22030000 + sram_bss_size || SRAM-resident data. |- | dram.textdata || hibe || DRAM 0x08000000 || Combined .text and .data which lives in DRAM. Bulk of code lives here. |- | dram.frameworks || miscTBD || DRAM 0x08000000 + dram_textdata_size || 'Framework' system of some kind, interfaces used by eApps. |- | dram.bss || n/a || DRAM 0x08000000 + dram_textdata_size + dram_frameworks_size || DRAM-resident zero data. |} And here's how the segments are built up within the RetailOS binary blob: {| class="wikitable" |- ! Address !! Name !! Size |- | Start || sram.text || sram_text_size |- | || sram.bss || sram_bss_size |- | || sram.data || sram_data_size |- | || dram.text || dram_text_size |- | End || dram.frameworks || dram_frameworks_size |} (yes, the firmware blob ships a sram.bss physically in the file) So the goal to be able to load the binary is to figure out the segment sizes and then load them into a decompiler/disassembler. Here, we'll show how to figure out the segment sizes for N5G. First, load the RetailOS body (without the header!) at 0x22000000 in a decompiler. We load it there (intead of into DRAM as it is done on the device) as the stub relocates to this address first by performing the SRAM .text/.data copies very early in the process, and the code is position independent for only a short time. Then, look at the start function (follow the reset vector): <pre> void start(void) { // 0x2200505c offs = relocation_offset(); /* ... peeks/pokes to bus matrix periph at 0x3ff00000 ... */ if (offs != 0) { relocate(offs); } (*0x22000000) = 0xea000007; zero_bss(); } </pre> relocation_offset will return 0 if the stub is already at 0x22000000, so will return 0 for the way we've loaded it. On a real device, this will be 0x22000000 - 0x08000000 == 0x1a000000, as the real device loads RetailOS into DRAM first. Thus, relocate() will be called: <pre> void relocate(int offs) { // 0x22005ec8 int iVar1 = -offs; void *blob_start = iVar1 + 0x22000000; memmove(0x22000000, blob_start, 0xe27c); // copy sram.text memzero(0x22000000 + 0xe27c, 0xbc4); // zero out sram.bss within blob memmove(0x22030000, 0x22000000 + 0xe27c + iVar1, 0x20000); // copy sram.bss + sram.data jump_offset(offs); memmove(0x08000000, 0x22000000 + 0xe27c + 0x20000 + iVar1, 0x6c3768); // copy dram.textdata memmove(0x08000000 + 0x6c3768, iVar1 + 0x22000000 + 0xe27c + 0x20000 + 0x6c3768), 0xc40); // copy dram.frameworks start(); return; } </pre> The above listing shows reconstituted address calculations - in a plain decompilation, all the additions will of course be simplified to a single constant. But you should be able to figure out the following: # sram_text_size is 0xe27c # sram_bss_size is 0xbc4 # sram_bss_size + sram_data_size is 0x20000 # dram_textdata_size is 0x6c3768 # dram_frameworks_size is 0xc40 Then, in zero_bss we can find the size of dram.bss: <pre> void zero_bss(void) { // 0x22005fec memzero(0x2200e27c, 0xbc4); // zero out sram.bss // inlined memzero: void *start = 0x08000000 + 0x6c3768 + 0xc40; int size = 0x790a84; // ... } </pre> From which we can figure out that the dram.bss segment size is 0x790a84. Thus we can load the file like so (combining sram.bss and sram.data) into a 'clean' decompiler/disassembler session: {| class="wikitable" |- ! Name !! Memory Address !! File Offset |- | sram.text || 0x22000000 || 0x00000000 |- | sram.bssdata || 0x22030000 || 0x0000e27c |- | dram.textdata || 0x08000000 || 0x0002e27c (0xe27c + 0x20000) |- | dram.frameworks || 0x086c3768 || 0x006f19e4 (0xe27c + 0x20000 + 0x6c3768) |- | dram.bss || 0x086c43a || n/a (0x790a84 zeroes) |} Writing an automated converter into ELF from arbitrary RetailOS blobs is an exercise left to the reader. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === While RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering retailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface. The dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code. Service functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking). The following table comes from cross-referencing retailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by retailOS and not built into the service dispatcher, at least on [[Nano 5G]]. === Semaphores === The following semaphores are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || <code>S_FW_PWR_CHANGE</code> || |- | 0x02 || <code>S_BAT_PWR_CHANGE</code> || |- | 0x03 || <code>S_USB_PWR_CHANGE</code> || |- | 0x04 || <code>S_CNA_CHANGE</code> || |- | 0x05 || <code>S_WHEEL_CHANGE</code> || |- | 0x06 || <code>S_DISKMGRQ</code> || |- | 0x07 || <code>S_TOPPLUG_SWITCH</code> || |- | 0x08 || <code>S_RTCTIMERMGR</code> || |- | 0x09 || <code>S_ALARM_01</code> || |- | 0x0a || <code>S_ALARM_02</code> || |- | 0x0b || <code>S_ALARM_03</code> || |- | 0x0c || <code>S_WATCHDOG</code> || |- | 0x0d || <code>S_CPUMGRQ</code> || |- | 0x0e || <code>S_PCFPOWERMGR</code> || |- | 0x0f || <code>S_POWER_STATE_AC</code> || |- | 0x10 || <code>S_CGR_STATE_TMR</code> || |- | 0x11 || <code>S_DEEPSLEEP</code> || |- | 0x12 || <code>S_ALARM_DONE</code> || |- | 0x13 || <code>S_PIEZOMGR</code> || |- | 0x14 || <code>S_PIEZOMGRSNDR</code> || |- | 0x15 || <code>S_PIEZODONE</code> || |- | 0x16 || <code>S_ACCPOWER</code> || |- | 0x17 || <code>S_ACC_REINIT</code> || |- | 0x18 || <code>S_TOPPLUGSENSER</code> || |- | 0x19 || <code>S_TOPPLUGCHANGE</code> || |- | 0x1a || <code>S_BTMCONNECT</code> || |- | 0x1b || <code>S_BTMPLUGCHANGE</code> || |- | 0x1c || <code>S_BTMREVERIFY</code> || |- | 0x1d || <code>S_BTMREVERTIMED</code> || |- | 0x1e || <code>S_BTMVERCOMP</code> || |- | 0x1f || <code>S_TOPACCPKTRCVD</code> || |- | 0x20 || <code>S_BTMACCPKTRCVD</code> || |- | 0x21 || <code>S_SERIALIDRCVD</code> || |- | 0x22 || <code>S_UARTATXEMPTY</code> || |- | 0x23 || <code>S_UARTBTXEMPTY</code> || |- | 0x24 || <code>S_HDDSCANCOMP</code> || |- | 0x25 || <code>S_BL_ON</code> || |- | 0x26 || <code>S_BL_OFF</code> || |- | 0x27 || <code>S_BL_RAMPDOWN</code> || |- | 0x28 || <code>S_BL_RAMPUP</code> || |- | 0x29 || <code>S_BL_TIMESUP</code> || |- | 0x2a || <code>S_BATT_TIMESUP</code> || |- | 0x2b || <code>S_BATT_AC_PWR</code> || |- | 0x2c || <code>S_BATT_TMR_RST</code> || |- | 0x2d || <code>S_GRAPHMGR</code> || |- | 0x2e || <code>S_VBL</code> || |- | 0x2f || <code>S_DTVRECOVERY</code> || |- | 0x30 || <code>S_CM_HEADPHONE</code> || |- | 0x31 || <code>S_CM_EXTPOWER</code> || |- | 0x32 || <code>S_CM_ACCATTACHED</code> || |- | 0x33 || <code>S_CM_DAC_SETUP</code> || |- | 0x34 || <code>S_ATAWRKLPRDY</code> || |- | 0x35 || <code>S_RTXCBUG</code> || |- | 0x36 || <code>S_BLOCKDEVICE</code> || |- | 0x37 || <code>S_BLOCKDEVICEQ</code> || |- | 0x38 || <code>S_DISPLAY</code> || |- | 0x39 || <code>S_ARB_READY</code> || |- | 0x3a || <code>S_I2C_DONE</code> || |- | 0x3b || <code>S_VSYNC</code> || |} There are three more semaphores (0x3c, 0x3d, 0x3e) that have no name defined and are likely unused. Anything 0x3f and up is a 'Dynamic' semaphore defined at runtime (which we haven't reversed yet). === Queues === The following queues are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || PIXORESQ || |- | 0x02 || PIXOSEMAQ || |- | 0x03 || POSIXRESQ || |- | 0x04 || POSIXSEMAQ || |} === Mailboxes === The following mailboxes are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || M_DISKMGR || |- | 0x02 || M_PIEZOMGR || |- | 0x03 || M_GRAPHMGR || |- | 0x04 || M_BLOCKDEVICE || |- | 0x05 || M_DISPLAY || |} === Resources === The following lockable resources are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || GPIO_REG_WRITE || |- | 0x02 || GPIO_INT_INIT || |- | 0x03 || RTC_TIME_ADJUST || |- | 0x04 || RTC_ALARM_ADJUST || |- | 0x05 || I2C_MASTER || |- | 0x06 || USB_GRANT || |- | 0x07 || USB_RESP_INIT || |- | 0x08 || USB_RESPONDER || |- | 0x09 || DISKPWRMGRSEND || |- | 0x0a || PIEZOMGRSEND || |- | 0x0b || SERIALVERIFIER || |- | 0x0c || RESISTORVERIFIER || |- | 0x0d || FW_IRAM || |- | 0x0e || ACCPOWER || |- | 0x0f || UARTA || |- | 0x10 || UARGB || |- | 0x11 || PMU_LOCK || |- | 0x12 || ADC_LOCK || |- | 0x13 || DTV_ENC_INIT || |- | 0x14 || BACKLIGHT || |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] e24266e857c1727d2128a606eb91643ee6b7d677 22076 22075 2024-05-09T19:44:04Z LemonJesus 6239 add a RTXC 3.2 training manual I found on archive.org wikitext text/x-wiki The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface. == Naming == The only 'official' name seems to be 'retailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle. == Architecture == retailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games. The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://web.archive.org/web/20230224105131/https://twitter.com/johnwhitley/status/1451952369248264201</ref> == Security == As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer retailOS bugs trivial. === Boot chain === retailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM. While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, retailOS is a single binary blob without any built-in modularity. === eApp Signing === Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist. == Options == We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]]. == Analysis / Memory Layout == Loading RetailOS correctly into a decompiler/disassembler is tricky, as the contents of the IMG1 image are a binary blob which self-relocates to the correct places in memory. These are the memory segments within RetailOS that we know of (at least on Nano 5G): {| class="wikitable" |- ! Name !! Marker !! Location in memory !! Description |- | sram.text || n/a || SRAM 0x22000000 || SRAM-resident code, most of RTXC lives here. |- | sram.bss || n/a || SRAM 0x22030000 || SRAM-resident zero data. |- | sram.data || n/a || SRAM 0x22030000 + sram_bss_size || SRAM-resident data. |- | dram.textdata || hibe || DRAM 0x08000000 || Combined .text and .data which lives in DRAM. Bulk of code lives here. |- | dram.frameworks || miscTBD || DRAM 0x08000000 + dram_textdata_size || 'Framework' system of some kind, interfaces used by eApps. |- | dram.bss || n/a || DRAM 0x08000000 + dram_textdata_size + dram_frameworks_size || DRAM-resident zero data. |} And here's how the segments are built up within the RetailOS binary blob: {| class="wikitable" |- ! Address !! Name !! Size |- | Start || sram.text || sram_text_size |- | || sram.bss || sram_bss_size |- | || sram.data || sram_data_size |- | || dram.text || dram_text_size |- | End || dram.frameworks || dram_frameworks_size |} (yes, the firmware blob ships a sram.bss physically in the file) So the goal to be able to load the binary is to figure out the segment sizes and then load them into a decompiler/disassembler. Here, we'll show how to figure out the segment sizes for N5G. First, load the RetailOS body (without the header!) at 0x22000000 in a decompiler. We load it there (intead of into DRAM as it is done on the device) as the stub relocates to this address first by performing the SRAM .text/.data copies very early in the process, and the code is position independent for only a short time. Then, look at the start function (follow the reset vector): <pre> void start(void) { // 0x2200505c offs = relocation_offset(); /* ... peeks/pokes to bus matrix periph at 0x3ff00000 ... */ if (offs != 0) { relocate(offs); } (*0x22000000) = 0xea000007; zero_bss(); } </pre> relocation_offset will return 0 if the stub is already at 0x22000000, so will return 0 for the way we've loaded it. On a real device, this will be 0x22000000 - 0x08000000 == 0x1a000000, as the real device loads RetailOS into DRAM first. Thus, relocate() will be called: <pre> void relocate(int offs) { // 0x22005ec8 int iVar1 = -offs; void *blob_start = iVar1 + 0x22000000; memmove(0x22000000, blob_start, 0xe27c); // copy sram.text memzero(0x22000000 + 0xe27c, 0xbc4); // zero out sram.bss within blob memmove(0x22030000, 0x22000000 + 0xe27c + iVar1, 0x20000); // copy sram.bss + sram.data jump_offset(offs); memmove(0x08000000, 0x22000000 + 0xe27c + 0x20000 + iVar1, 0x6c3768); // copy dram.textdata memmove(0x08000000 + 0x6c3768, iVar1 + 0x22000000 + 0xe27c + 0x20000 + 0x6c3768), 0xc40); // copy dram.frameworks start(); return; } </pre> The above listing shows reconstituted address calculations - in a plain decompilation, all the additions will of course be simplified to a single constant. But you should be able to figure out the following: # sram_text_size is 0xe27c # sram_bss_size is 0xbc4 # sram_bss_size + sram_data_size is 0x20000 # dram_textdata_size is 0x6c3768 # dram_frameworks_size is 0xc40 Then, in zero_bss we can find the size of dram.bss: <pre> void zero_bss(void) { // 0x22005fec memzero(0x2200e27c, 0xbc4); // zero out sram.bss // inlined memzero: void *start = 0x08000000 + 0x6c3768 + 0xc40; int size = 0x790a84; // ... } </pre> From which we can figure out that the dram.bss segment size is 0x790a84. Thus we can load the file like so (combining sram.bss and sram.data) into a 'clean' decompiler/disassembler session: {| class="wikitable" |- ! Name !! Memory Address !! File Offset |- | sram.text || 0x22000000 || 0x00000000 |- | sram.bssdata || 0x22030000 || 0x0000e27c |- | dram.textdata || 0x08000000 || 0x0002e27c (0xe27c + 0x20000) |- | dram.frameworks || 0x086c3768 || 0x006f19e4 (0xe27c + 0x20000 + 0x6c3768) |- | dram.bss || 0x086c43a || n/a (0x790a84 zeroes) |} Writing an automated converter into ELF from arbitrary RetailOS blobs is an exercise left to the reader. == RTXC == === Documentation === This seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions. There's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. === Services / Syscalls === While RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering retailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface. The dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code. Service functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking). The following table comes from cross-referencing retailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols. {| class="wikitable" |- ! Name !! Number !! Description |- | <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING. |- | <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox. |- | <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant). |- | <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant). |- | <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource. |- | <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout. |- | <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource. |- | <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool. |- | <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer. |- | <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer. |- | <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time. |- | <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address. |- | <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task. |- | <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. |- | <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE. |- | <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed. |- | <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task. |- | <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority. |- | <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores. |- | <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day. |- | <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day. |- | <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource. |- | <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource. |- | <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task. |- | <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task. |- | <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue. |- | <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service. |} The RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by retailOS and not built into the service dispatcher, at least on [[Nano 5G]]. === Semaphores === The following semaphores are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || <code>S_FW_PWR_CHANGE</code> || |- | 0x02 || <code>S_BAT_PWR_CHANGE</code> || |- | 0x03 || <code>S_USB_PWR_CHANGE</code> || |- | 0x04 || <code>S_CNA_CHANGE</code> || |- | 0x05 || <code>S_WHEEL_CHANGE</code> || |- | 0x06 || <code>S_DISKMGRQ</code> || |- | 0x07 || <code>S_TOPPLUG_SWITCH</code> || |- | 0x08 || <code>S_RTCTIMERMGR</code> || |- | 0x09 || <code>S_ALARM_01</code> || |- | 0x0a || <code>S_ALARM_02</code> || |- | 0x0b || <code>S_ALARM_03</code> || |- | 0x0c || <code>S_WATCHDOG</code> || |- | 0x0d || <code>S_CPUMGRQ</code> || |- | 0x0e || <code>S_PCFPOWERMGR</code> || |- | 0x0f || <code>S_POWER_STATE_AC</code> || |- | 0x10 || <code>S_CGR_STATE_TMR</code> || |- | 0x11 || <code>S_DEEPSLEEP</code> || |- | 0x12 || <code>S_ALARM_DONE</code> || |- | 0x13 || <code>S_PIEZOMGR</code> || |- | 0x14 || <code>S_PIEZOMGRSNDR</code> || |- | 0x15 || <code>S_PIEZODONE</code> || |- | 0x16 || <code>S_ACCPOWER</code> || |- | 0x17 || <code>S_ACC_REINIT</code> || |- | 0x18 || <code>S_TOPPLUGSENSER</code> || |- | 0x19 || <code>S_TOPPLUGCHANGE</code> || |- | 0x1a || <code>S_BTMCONNECT</code> || |- | 0x1b || <code>S_BTMPLUGCHANGE</code> || |- | 0x1c || <code>S_BTMREVERIFY</code> || |- | 0x1d || <code>S_BTMREVERTIMED</code> || |- | 0x1e || <code>S_BTMVERCOMP</code> || |- | 0x1f || <code>S_TOPACCPKTRCVD</code> || |- | 0x20 || <code>S_BTMACCPKTRCVD</code> || |- | 0x21 || <code>S_SERIALIDRCVD</code> || |- | 0x22 || <code>S_UARTATXEMPTY</code> || |- | 0x23 || <code>S_UARTBTXEMPTY</code> || |- | 0x24 || <code>S_HDDSCANCOMP</code> || |- | 0x25 || <code>S_BL_ON</code> || |- | 0x26 || <code>S_BL_OFF</code> || |- | 0x27 || <code>S_BL_RAMPDOWN</code> || |- | 0x28 || <code>S_BL_RAMPUP</code> || |- | 0x29 || <code>S_BL_TIMESUP</code> || |- | 0x2a || <code>S_BATT_TIMESUP</code> || |- | 0x2b || <code>S_BATT_AC_PWR</code> || |- | 0x2c || <code>S_BATT_TMR_RST</code> || |- | 0x2d || <code>S_GRAPHMGR</code> || |- | 0x2e || <code>S_VBL</code> || |- | 0x2f || <code>S_DTVRECOVERY</code> || |- | 0x30 || <code>S_CM_HEADPHONE</code> || |- | 0x31 || <code>S_CM_EXTPOWER</code> || |- | 0x32 || <code>S_CM_ACCATTACHED</code> || |- | 0x33 || <code>S_CM_DAC_SETUP</code> || |- | 0x34 || <code>S_ATAWRKLPRDY</code> || |- | 0x35 || <code>S_RTXCBUG</code> || |- | 0x36 || <code>S_BLOCKDEVICE</code> || |- | 0x37 || <code>S_BLOCKDEVICEQ</code> || |- | 0x38 || <code>S_DISPLAY</code> || |- | 0x39 || <code>S_ARB_READY</code> || |- | 0x3a || <code>S_I2C_DONE</code> || |- | 0x3b || <code>S_VSYNC</code> || |} There are three more semaphores (0x3c, 0x3d, 0x3e) that have no name defined and are likely unused. Anything 0x3f and up is a 'Dynamic' semaphore defined at runtime (which we haven't reversed yet). === Queues === The following queues are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || PIXORESQ || |- | 0x02 || PIXOSEMAQ || |- | 0x03 || POSIXRESQ || |- | 0x04 || POSIXSEMAQ || |} === Mailboxes === The following mailboxes are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || M_DISKMGR || |- | 0x02 || M_PIEZOMGR || |- | 0x03 || M_GRAPHMGR || |- | 0x04 || M_BLOCKDEVICE || |- | 0x05 || M_DISPLAY || |} === Resources === The following lockable resources are defined in the [[Nano 3G]] retailOS: {| class="wikitable" |- ! Number !! Name !! Description |- | 0x01 || GPIO_REG_WRITE || |- | 0x02 || GPIO_INT_INIT || |- | 0x03 || RTC_TIME_ADJUST || |- | 0x04 || RTC_ALARM_ADJUST || |- | 0x05 || I2C_MASTER || |- | 0x06 || USB_GRANT || |- | 0x07 || USB_RESP_INIT || |- | 0x08 || USB_RESPONDER || |- | 0x09 || DISKPWRMGRSEND || |- | 0x0a || PIEZOMGRSEND || |- | 0x0b || SERIALVERIFIER || |- | 0x0c || RESISTORVERIFIER || |- | 0x0d || FW_IRAM || |- | 0x0e || ACCPOWER || |- | 0x0f || UARTA || |- | 0x10 || UARGB || |- | 0x11 || PMU_LOCK || |- | 0x12 || ADC_LOCK || |- | 0x13 || DTV_ENC_INIT || |- | 0x14 || BACKLIGHT || |} == External links == * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] * [https://archive.org/details/manualzilla-id-5752851 RTXC 3.2 Training Manual] 0e676ff5aad8176ba7715790227df2407e92e8d5 0 6444 22064 2023-11-07T00:23:15Z InvoxiPlayGames 6240 Created page with ""'''SysCfg'''" is the system configuration sector of an iPod. It carries unique per-device information such as the serial number, as well as determining which region a device..." wikitext text/x-wiki "'''SysCfg'''" is the system configuration sector of an iPod. It carries unique per-device information such as the serial number, as well as determining which region a device was sold in, the model number, etc. On the iPod nano 3rd generation and the iPod Classic, it is stored in the first section of the NOR. '''WARNING: Messing with SysCfg can result in a device that can not be restored in iTunes, and may not boot! You MUST keep backups!''' == Structure == The header of the SysCfg always begins with a 'SCfg' tag in a 24 byte header. Some of the header values are unknown. struct SysCfgHeader { uint32_t magic; // always 'SCfg' uint32_t size; uint32_t unknown1; // 0x00000200 on iPod classic uint32_t version; // maybe? 0x00010001 on iPod classic uint32_t unknown2; // 0x00000000 on iPod classic uint32_t num_entries; }; // 0x18 Each entry in the SysCfg consists of a 32-bit tag value (in little-endian) and up to 16 (0x10) bytes of data. The way the data is encoded is dependent on the tag value. struct SysCfgEntry { uint32_t tag; uint8_t data[0x10]; }; == Tags == {| class="wikitable" |- ! Tag !! Meaning !! Data type |- | SrNm || Serial Number || ASCII characters |- | Mdo# || Model Number || ASCII characters |- | FwId || Firmware ID || Unknown |- | HwId || Hardware ID || Unknown |- | Regn || Sales Region || Unknown |- | HwVr || Hardware Version || 4 16-bit shorts |- | SwVr || Software Version - that the device shipped with? || ASCII characters |- | MLBN || Logic Board Serial Number || ASCII characters |- | Codc || Unknown || Unknown |} === Example Values === ==== iPod classic (6th generation), 80GB ==== {| class="wikitable" |- ! Tag !! Value !! Notes |- | SrNm || 8K823xxxYMV || Redacted device identifier |- | Mdo# || MB147 || |- | FwId || 0x01000000 0x13622A6C 0x000A2700 || Interpreted as 3 32-bit LE integers |- | HwId || 0x82021685 || Interpreted as 1 32-bit LE integer |- | Regn || 0x0001 0x0002 0x0025 0x0001 || Sold in UK. Interpreted as 4 16-bit LE shorts |- | HwVr || 0x0013.0x0000.0x0000.0x0000 || Reversed order |- | SwVr || 1.0 || |- | MLBN || BR8604P11007 || |- | Codc || SB || Interpreted as ASCII characters |} iTunes restores this device to firmware 1.1.2 == Behaviours == * WTF for 0x1223 / S5L8702 devices uses HwVr to determine which USB PID to use. == References == * [https://theapplewiki.com/wiki/SysCfg SysCfg on The Apple Wiki] 551a2bfc12ee4b8eac71f1d40f62c605cd7b6f64 22067 22064 2023-11-27T04:37:25Z InvoxiPlayGames 6240 /* iPod classic (6th generation), 80GB */ making the colour known wikitext text/x-wiki "'''SysCfg'''" is the system configuration sector of an iPod. It carries unique per-device information such as the serial number, as well as determining which region a device was sold in, the model number, etc. On the iPod nano 3rd generation and the iPod Classic, it is stored in the first section of the NOR. '''WARNING: Messing with SysCfg can result in a device that can not be restored in iTunes, and may not boot! You MUST keep backups!''' == Structure == The header of the SysCfg always begins with a 'SCfg' tag in a 24 byte header. Some of the header values are unknown. struct SysCfgHeader { uint32_t magic; // always 'SCfg' uint32_t size; uint32_t unknown1; // 0x00000200 on iPod classic uint32_t version; // maybe? 0x00010001 on iPod classic uint32_t unknown2; // 0x00000000 on iPod classic uint32_t num_entries; }; // 0x18 Each entry in the SysCfg consists of a 32-bit tag value (in little-endian) and up to 16 (0x10) bytes of data. The way the data is encoded is dependent on the tag value. struct SysCfgEntry { uint32_t tag; uint8_t data[0x10]; }; == Tags == {| class="wikitable" |- ! Tag !! Meaning !! Data type |- | SrNm || Serial Number || ASCII characters |- | Mdo# || Model Number || ASCII characters |- | FwId || Firmware ID || Unknown |- | HwId || Hardware ID || Unknown |- | Regn || Sales Region || Unknown |- | HwVr || Hardware Version || 4 16-bit shorts |- | SwVr || Software Version - that the device shipped with? || ASCII characters |- | MLBN || Logic Board Serial Number || ASCII characters |- | Codc || Unknown || Unknown |} === Example Values === ==== iPod classic (6th generation), 80GB, Black ==== {| class="wikitable" |- ! Tag !! Value !! Notes |- | SrNm || 8K823xxxYMV || Redacted device identifier |- | Mdo# || MB147 || |- | FwId || 0x01000000 0x13622A6C 0x000A2700 || Interpreted as 3 32-bit LE integers |- | HwId || 0x82021685 || Interpreted as 1 32-bit LE integer |- | Regn || 0x0001 0x0002 0x0025 0x0001 || Sold in UK. Interpreted as 4 16-bit LE shorts |- | HwVr || 0x0013.0x0000.0x0000.0x0000 || Reversed order |- | SwVr || 1.0 || |- | MLBN || BR8604P11007 || |- | Codc || SB || Interpreted as ASCII characters |} iTunes restores this device to firmware 1.1.2 == Behaviours == * WTF for 0x1223 / S5L8702 devices uses HwVr to determine which USB PID to use. == References == * [https://theapplewiki.com/wiki/SysCfg SysCfg on The Apple Wiki] f04186fd982037df0313f11b068473c51a8d6170 22077 22067 2024-06-23T20:01:25Z User890104 124 wikitext text/x-wiki "'''SysCfg'''" is the system configuration sector of an iPod. It carries unique per-device information such as the serial number, as well as determining which region a device was sold in, the model number, etc. On the iPod nano 3rd generation and the iPod Classic, it is stored in the first section of the NOR. '''WARNING: Messing with SysCfg can result in a device that can not be restored in iTunes, and may not boot! You MUST keep backups!''' == Structure == The header of the SysCfg always begins with a 'SCfg' tag in a 24 byte header. Some of the header values are unknown. struct SysCfgHeader { uint32_t magic; // always 'SCfg' uint32_t size; uint32_t unknown1; // 0x00000200 on iPod classic uint32_t version; // maybe? 0x00010001 on iPod classic uint32_t unknown2; // 0x00000000 on iPod classic uint32_t num_entries; }; // 0x18 Each entry in the SysCfg consists of a 32-bit tag value (in little-endian) and up to 16 (0x10) bytes of data. The way the data is encoded is dependent on the tag value. struct SysCfgEntry { uint32_t tag; uint8_t data[0x10]; }; == Tags == {| class="wikitable" |- ! Tag !! Meaning !! Data type |- | SrNm || Serial Number || ASCII characters |- | Mod# || Model Number || ASCII characters |- | FwId || Firmware ID || Unknown |- | HwId || Hardware ID || Unknown |- | Regn || Sales Region || Unknown |- | HwVr || Hardware Version || 4 16-bit shorts |- | SwVr || Software Version - that the device shipped with? || ASCII characters |- | MLBN || Logic Board Serial Number || ASCII characters |- | Codc || Unknown || Unknown |} === Example Values === ==== iPod classic (6th generation), 80GB, Black ==== {| class="wikitable" |- ! Tag !! Value !! Notes |- | SrNm || 8K823xxxYMV || Redacted device identifier |- | Mod# || MB147 || |- | FwId || 0x01000000 0x13622A6C 0x000A2700 || Interpreted as 3 32-bit LE integers |- | HwId || 0x82021685 || Interpreted as 1 32-bit LE integer |- | Regn || 0x0001 0x0002 0x0025 0x0001 || Sold in UK. Interpreted as 4 16-bit LE shorts |- | HwVr || 0x0013.0x0000.0x0000.0x0000 || Reversed order |- | SwVr || 1.0 || |- | MLBN || BR8604P11007 || |- | Codc || SB || Interpreted as ASCII characters |} iTunes restores this device to firmware 1.1.2 == Behaviours == * WTF for 0x1223 / S5L8702 devices uses HwVr to determine which USB PID to use. == References == * [https://theapplewiki.com/wiki/SysCfg SysCfg on The Apple Wiki] 3baaa76e1b2a82afc83b60678b44fefddc5781c4 2 6445 22065 2023-11-08T02:16:40Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 Created page with "hello" wikitext text/x-wiki hello aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d 0 242 22066 21926 2023-11-19T19:19:12Z LemonJesus 6239 porting over my hardware notes wikitext text/x-wiki [[Image:nano_3g_frt_a.png|500px]] [[Image:nano_3g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | 2 | CPU | Samsung S5L8702 | 337S3473 8702, NONBWOEC, 0731 ARM | ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. |- | 3 | SDRAM | [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75 | 0728, C, HYE18M256, 169CX75, W3338092 | SDRAM - Mobile DDR, 256Mb, 1.8V. WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75 |- | 5 | Utility Flash | [http://www.sst.com/products/?inode=41340 SST25VF080B] | V80B, 729379 | Flash - NOR, 8Mb, Serial SPI |- | 6 | NAND Flash | Varies | Samsung 728, K9HCG08U5M, PCB0, FCF285X1 | |- | 1 | Audio codec | WM1870 | APPLE, 338S0462, 76BZKTM | |- | 4 | Power manager | D1671B | 338S0408, 07258HAH | |} == SPI NOR Test Pads == Test pads are available on the back of the board to access SCK, MISO and CS between the SoC and the NOR utility flash. MOSI is also present, but is buried in an internal layer (second from back) which can be accessed by carefully scraping off the top FR4 using a sharp tool, or by using a tiny carbide bit on a milling machine. [[Image:N3g-spi-nor.png|500px]] [[Image:N3g-spi-nor-zoom.png|500px]] == Hardware Notes == === CPU === The Apple S5L8702 is an ARM926EJ-S processor designed by Samsung. It is estimated to run at 100MHz (I read this somewhere but I don't remember where). The basics of the chip are similar to the S5L8700x for which there is [[S5L8700 datasheet|a leaked datasheet]]. For some peripherals, merely a base address has changed. For others, full subsystems have been updated and refined. === GPU === Very little is known about the GPU core other than the fact that it almost certainly exists. It's likely a single PowerVR GPU core that can maybe can decode H.264 content up to 480p (or perhaps there's another peripheral responsible for this?). It's also possible that the GPU is responsible for rendering games, since it appears the games use some form of OpenGL ES. CoverFlow also probably leverages the GPU. === I2C === The S5L8702 has several I2C busses (two, probably?), but possibly only one is used (bus #0). On this bus, there are currently two known slaves: * The PMU at address 0x73 * The DAC at address 0x1A The bus runs at 1.8V with a clock of 333.33KHz. Other notes about the I2C peripheral from Rockbox: * s5l8702 I2C controller is similar to s5l8700, known differences are: ** IICCON[5] is not used in s5l8702. ** IICCON[13:8] are used to enable interrupts. ** IICSTA2[13:8] are used to read the status and write-clear interrupts. * Known interrupts: ** [13] STOP on bus (TBC) ** [12] START on bus (TBC) ** [8] byte transmitted or received in Master mode (not tested in Slave) ** IICCON[4] does not clear interrupts, it is enabled when a byte is transmited or received, in Master mode the tx/rx of the next byte starts when it is written as "1". === Digital Audio Subsystem (I2S) === The iPod n3g uses a Wolfson DAC (WM1870) to convert digital audio to analog audio. The S5L8702 sends digital audio in the form of I2S data at 44.1kHz with 16-bit resolution. Even if there is no audio playing, at some point during boot up, the I2S peripheral is turned on, meaning the Bit Clock and Word Select are always on. During the 1kHz tone test in the diagnostic menu, the I2S mode is different, possibly a half-data mode since the test tone is one channel. The S5L8702 seems to support 3 I2S interfaces, but only one is used for audio playback. It's possible another one is used for microphone recording (when an Apple headset with a microphone is plugged in, you can record voice memos) but this is unconfirmed. The S5L8702 sends data to the DAC at full volume no matter what. Volume is configured via I2C bus #0. As far as I can tell, two commands are issued to change the volume: Address 0x1A, Data 0x04 <volume> Address 0x1A, Data 0x07 <volume> Where <volume> is a number between 0xB7 for quietest to 0xF5 for loudest. It's also possible that a special value of 0x80 is for full mute, but this is unconfirmed. It's also unclear what the 0x04 and 0x07 mean, perhaps it's capable of changing the volume of both channels independently? Both the I2C and I2S busses run at 1.8V. === NAND === NAND hardware is an enigma. There has been a rather substantial effort on this subsystem alone. Most of that is documented [https://github.com/lemonjesus/S5L8702-FMISS-Tools here]. ==Helpful pages== Chip analyses: *http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# Teardowns: *http://content.techrepublic.com.com/2346-13636_11-170826-1.html *http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1 *http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html *[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board] a319fd6df3fa7c9d9b320bd8da50627bf9153787 0 121 22068 21990 2023-12-30T14:30:20Z User890104 124 announce code exec on nano6g and nano7g wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. This is mostly a summary of reverse engineering and 'janitorial' work required to run end-user software like Rockbox or Linux. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G]]<ref name="nano6g7g"/> !! [[Nano 7G]]<ref name="nano6g7g"/> !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Tethered'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware decryption | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[U-Boot]] | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Boot [[OSOS]] | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">The "Nano" 6G and 7G are something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how these devices works and if we want to do something with them at all.</ref> <ref name="tethered">Nano 5G support is implemented in a tethered fashion via wInd3x, where we re-use parts of the original Apple boot chain which negates the need of some features.</ref> </references> 0f197d7933f1b289e8c47d823e501d66ef044718 22069 22068 2023-12-30T14:33:15Z User890104 124 wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. This is mostly a summary of reverse engineering and 'janitorial' work required to run end-user software like Rockbox or Linux. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G]] !! [[Nano 7G]] !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Tethered'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''<ref name="nano6g7g"/></span> | <span style="color:green">'''Yes'''<ref name="nano6g7g"/></span> |- | Firmware decryption | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[U-Boot]] | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Boot [[OSOS]] | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">Nano 6G and Nano 7G code execution is implemented using CVE-2010-1797</ref> <ref name="tethered">Nano 5G support is implemented in a tethered fashion via wInd3x, where we re-use parts of the original Apple boot chain which negates the need of some features.</ref> </references> 89f1133a58d4571b8e120811dcb6d65fea9ffe31 22070 22069 2023-12-30T14:34:28Z User890104 124 wikitext text/x-wiki <!-- {{outdated|reason=This page is not updated anymore, please refer to [https://www.rockbox.org/ Rockbox's website] for a list of supported iPod models.}} --> This status is based on the progress the freemyipod team has made so far. This is mostly a summary of reverse engineering and 'janitorial' work required to run end-user software like Rockbox or Linux. {| class="wikitable" ! !! [[Nano 2G]] !! [[Nano 3G]] !! [[Nano 4G]] !! [[Nano 5G]] !! [[Nano 6G]] !! [[Nano 7G]] !! [[Classic 1G]] !! [[Classic 2G]] !! [[Classic 3G]] |- | Code execution | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Tethered'''</span> | <span style="color:green">'''Yes'''<ref name="nano6g7g"/></span> | <span style="color:green">'''Yes'''<ref name="nano6g7g"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Firmware decryption | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | [[U-Boot]] | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | [[emCORE]] | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Boot [[OSOS]] | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SDRAM | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="tethered"/></span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | UART | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:grey">'''No'''<ref name="uartnotneeded"/></span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | USB | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | SPI | <span style="color:grey">'''Unused'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | I2C | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Backlight | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | LCD | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Clickwheel | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Audio | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | NAND/Hard Drive | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Power management | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> | <span style="color:grey">'''Partially'''</span> |- | RTC | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:green">'''Yes'''</span> |- | Piezo | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> |- | Accelerometer | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:green">'''Yes'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:red">'''No'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> | <span style="color:grey">'''N/A'''</span> |} ===Annotations=== <references> <ref name="uartnotneeded">UART is not really needed here as we can already access the device via USB.</ref> <ref name="nano6g7g">Nano 6G and Nano 7G code execution is implemented using CVE-2010-1797</ref> <ref name="tethered">Nano 5G support is implemented in a tethered fashion via wInd3x, where we re-use parts of the original Apple boot chain which negates the need of some features.</ref> </references> 861005ce1acfcda8251b610e9049f3e48986fc95 0 6446 22071 2024-01-11T06:26:31Z LemonJesus 6239 created a Disk Mode page wikitext text/x-wiki Disk Mode is a binary that serves two purposes: first, it exposes a USB Mass Storage and SCSI device to provide access to the iPod's filesystem. Second, it facilitates the recovery functionality of the iPod. On the Nano 3G, it is stored on NOR Flash. This page currently focuses on the Nano 3G's Disk Mode unless otherwise noted. == Memory Layout == The memory layout of Disk Mode is far simpler than that of Retail OS. See [[RetailOS#Analysis_.2F_Memory_Layout|analysis of Retail OS's memory layout]] for more details about how this relocation process works. There are only two sections that get relocated: {| class="wikitable" |- ! Name !! Memory Address !! File Offset |- | sram.text || 0x22000000 || 0x00000000 |- | dram.textdata || 0x08000000 || 0x000051f4 |} == Known RTXC Tasks == There are several tasks in Disk Mode that RTXC manages. These are inferred by the presence of string names for these tasks: * HostOSTask * USBDeviceTask * ATAWorkLoopTask * ATAWorkLoopIRQTask * CNATask d0f7753d1135caef69198058e50912da2213db93 0 50 22072 22002 2024-05-04T14:41:40Z Q3k 6232 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod Nano 2, iPod Classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod Nano 3/4/5? === Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. === What can I do with my iPod Nano 6/7? === Nothing, other than helping us find vulnerabilities to get code execution on them. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} c881be7811e839696886e8f60388d06a67e19891 22080 22072 2024-08-04T02:13:41Z Q3k 6232 Removed protection from "[[Main Page]]" wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod Nano 2, iPod Classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod Nano 3/4/5? === Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. === What can I do with my iPod Nano 6/7? === Nothing, other than helping us find vulnerabilities to get code execution on them. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} c881be7811e839696886e8f60388d06a67e19891 0 6422 22078 21922 2024-08-04T02:03:32Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 remove outdated note wikitext text/x-wiki [[Image:Nano7g_front.jpg|500px]] [[Image:Nano7g_back.jpg|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0004">Red</span> | PMIC | | Apple 338S1099 | Guessing based on connectivity to power components around. |- | <span style="color:#ff9024">Orange</span> | Bluetooth + FM radio | Broadcom BCM2078KUBG | | |- | <span style="color:#f3e00e">Yellow</span> | | NXP Semiconductors 1609A1 | | |- | <span style="color:#16dc81">Green</span> | | | 75203 23017 | |- | <span style="color:#2343e8">Blue</span> | | | 75292 98820 | |} {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:#ff0000">Red</span> | NAND flash | Toshiba THGBX2G7D2JLA01 128 Gb (16 GB) | | |- | <span style="color:#ff9024">Orange</span> | Touchscreen controller | Texas Instruments 343S0538 | | |- | <span style="color:#f3e00e">Yellow</span> | | | Apple 338S1146 | |- | <span style="color:#16dc81">Green</span> | SoC/CPU | S5L8740 | 339S0193 | 8740 per IMG1. Guessing based on similar package to N6G SoC/CPU. Also has the most diffpairs running to/from it (from delayered PCB). |} ==Helpful pages== Teardowns: * https://www.ifixit.com/Teardown/iPod+Nano+7th+Generation+Teardown/10826 <!-- Reviews: * TODO --> d400755defaed9f7760739396ae5625fc61b39d9 0 276 22079 3916 2024-08-04T02:04:13Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 remove outdated note wikitext text/x-wiki [[Image:nano_6g_frt_a.png|500px]] [[Image:nano_6g_bck_a.png|500px]] ==Components== {| class="wikitable" ! Label !! Component !! Part !! Markings !! Notes |- | <span style="color:red">Red</span> | NAND Flash | | Toshiba TH58NVG6E2FLA4C | |- | <span style="color:cyan">Cyan</span> | Audio codec | Cirrus Logic CLI1544C0 | Apple 33850859 C0E111022 | |- | <span style="color:orange">Orange</span> | PMU | Dialog D1830B | Apple 338S0783-B1 10298HLS | |- | <span style="color:#e8e838">Yellow</span> | FM receiver | Silicon Labs Si4800 | 0650 D0UY 027 | |- | <span style="color:blue">Blue</span> | CPU | Samsung S5L8723 | Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031 | Samsung APL3278A01 ARM Application processor Samsung K4X51323PI Mobile DDR SDRAM (64 MB) Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source] |- | <span style="color:#cf5eea">Pink</span> | Touchscreen controller | Cypress CY8C20746B | 35758907 1025 A 04 629749 | |} ==Notes== The red and black wires lead to the battery. ==Helpful pages== Teardowns: *http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563 Reviews: *http://arstechnica.com/apple/reviews/2010/09/6th-generation-ipod-nano.ars *http://www.ubmtechinsights.com/reports-and-subscriptions/investigative-analysis/apple-ipod-nano/ 526e88b9464dc7acdb834b77dc0b113f4f6b8087 6 6447 22081 2024-08-04T04:03:12Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6448 22082 2024-08-04T04:05:30Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 6449 22083 2024-08-04T04:24:49Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 osos/disk swapping bug explanation wikitext text/x-wiki {{DISPLAYTITLE:osos/disk swapping bug}} [[File:Disk swap visualization.png|thumb|right|Simplified visualization of the boot logic of an iPod nano (6th generation)]] The osos/disk swapping bug is a bug in the boot process of the iPod nano (3rd generation and later) allowing for untethered boot of the [[retailOS]] with a modified resource partition. == Explanation == In the firmware, the retailOS is stored in the <code>osos</code> partition, and disk mode is stored in the <code>disk</code> partition. The retailOS on the iPod nano reads from from the <code>rsrc</code> partition, a FAT16 filesystem containing UI images, translation strings, fonts, and more. Unlike all other partitions ever included in official firmware, the <code>rsrc</code> partition is signed, but not encrypted. The disk mode does not use the <code>rsrc</code> partition. When the device is powered on, it decides whether to boot into disk mode or retailOS based on whether a button is pressed (on the iPod nano (6th generation), this is the Volume Up button). The basic logic is this: if volume up pressed: boot "disk" else: if "rsrc" signature check passed: boot "osos" else: error out If the firmware is modified so that the <code>disk</code> and <code>osos</code> partitions are swapped - that is, the names of the two partitions are switched - the behavior reverses, meaning the iPod will boot into disk mode by default and retailOS if the power up button is held. This is where the bug exists: because the iPod expects to boot disk mode, which does not usually utilize the <code>rsrc</code> partition, it doesn't perform a signature check on <code>rsrc</code> before booting. == Notes == On at least the iPod nano (6th generation), booting <code>osos</code> this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot. dab64ecba9bcabd3f372298670147ed1538c3d60 0 6450 22084 2024-08-04T04:33:29Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 ipod_sun page wikitext text/x-wiki {{DISPLAYTITLE:ipod_sun}} [https://github.com/CUB3D/ipod_sun ipod_sun] is a tool that builds a modified firmware image enabling code execution on the iPod nano 6th and 7th generation. It works by replacing a font file in the <code>rsrc</code> partition of the firmware image with a malformed OTF font exploiting CVE-2010-1797<ref>https://www.cve.org/CVERecord?id=CVE-2010-1797</ref>. == Usage == Once the firmware is booted on the device, usually via the [[Osos/disk swapping bug|osos/disk swapping bug]], the following additional SCSI commands are added: * <code>C6 96 01 __ __ __ __</code> - write data to memory * <code>C6 96 02 __ __ __ __</code> - read data from memory * <code>C6 96 03 __ __ __ __</code> - call a certain address in memory The underscores represent the 4-byte memory address. <code>C6</code>, the operation code for these commands, is used for proprietary Apple SCSI commands and exists in unmodified firmware. Only these instructions are part of ipod_sun. ffdcf0db2a62bfde3efc36b43e7f30521b58e1a7 0 50 22085 22080 2024-08-04T04:35:02Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 add n7g wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod Nano 2, iPod Classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod Nano 3/4/5? === Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. === What can I do with my iPod Nano 6/7? === Nothing, other than helping us find vulnerabilities to get code execution on them. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Nano 7G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 78e5f39e0b2730d26da65cfbfe49512dc1600498 22086 22085 2024-08-04T04:35:17Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 add ipod_sun wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project for reverse-engineering iPods with clickwheel ('''no''' iOS devices) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod Nano 2, iPod Classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod Nano 3/4/5? === Not much (yet) unless you're an embedded developer :). We have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[OSOS]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. === What can I do with my iPod Nano 6/7? === Nothing, other than helping us find vulnerabilities to get code execution on them. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[ipod_sun]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Nano 7G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} aca0e87f2ca5d9615fa68143364970211aeb0f16 22089 22086 2024-08-04T04:58:50Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 rework :3 wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project aimed at reverse-engineering non-iOS iPods (all models other than the Touch) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod nano (2nd generation), iPod classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod nano (3rd generation) or newer? === Not much (yet) unless you're an embedded developer :). On the 3rd, 4th and 5th generation, we have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution on Nano 3G-5G. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[retailOS]]. On the 6th and 7th generation, a font parsing vulnerability (CVE-2010-1797) can be exploited with [[ipod_sun]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-12-28}} - [[ipod_sun]], a tool that enables code execution on the iPod nano 6th and 7th generation, is released. * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[ipod_sun]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Nano 7G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} a7e7aa56ab3a28d6ee77813cff6893a1e3091635 22091 22089 2024-08-20T00:11:09Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 remove duplicate text wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project aimed at reverse-engineering non-iOS iPods (all models other than the Touch) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod nano (2nd generation), iPod classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod nano (3rd generation) or newer? === Not much (yet) unless you're an embedded developer :). On the 3rd, 4th and 5th generation, we have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[retailOS]]. On the 6th and 7th generation, a font parsing vulnerability (CVE-2010-1797) can be exploited with [[ipod_sun]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2023-12-28}} - [[ipod_sun]], a tool that enables code execution on the iPod nano 6th and 7th generation, is released. * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[ipod_sun]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Nano 7G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} f574ec76bf2f9cd1bf132712b8caea3502eabc7c 22092 22091 2024-12-16T09:27:34Z User890104 124 /* Updates */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project aimed at reverse-engineering non-iOS iPods (all models other than the Touch) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod nano (2nd generation), iPod classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod nano (3rd generation) or newer? === Not much (yet) unless you're an embedded developer :). On the 3rd, 4th and 5th generation, we have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[retailOS]]. On the 6th and 7th generation, a font parsing vulnerability (CVE-2010-1797) can be exploited with [[ipod_sun]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2024-12-16}} - [[S5Late]], a tethered iPod bootrom/DFU exploit for Nano 7G (and possibly Nano 6G), is released. * {{#dateformat:2023-12-28}} - [[ipod_sun]], a tool that enables code execution on the iPod nano 6th and 7th generation, is released. * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[ipod_sun]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Nano 7G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} bf1118244c4eddd4e6c2666c6579b3f9f6fc81af 22094 22092 2024-12-16T10:03:07Z User890104 124 /* FAQ */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project aimed at reverse-engineering non-iOS iPods (all models other than the Touch) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod nano (2nd generation), iPod classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod nano (3rd generation) or newer? === Not much (yet) unless you're an embedded developer :). On the 3rd, 4th and 5th generation, we have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[retailOS]]. On the 6th and 7th generation, a font parsing vulnerability (CVE-2010-1797) can be exploited with [[ipod_sun]]. On 7th generation (and possibly 6th generation), a vulnerability in DFU_DNLOAD packet parsing code can be exploited with [[S5Late]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2024-12-16}} - [[S5Late]], a tethered iPod bootrom/DFU exploit for Nano 7G (and possibly Nano 6G), is released. * {{#dateformat:2023-12-28}} - [[ipod_sun]], a tool that enables code execution on the iPod nano 6th and 7th generation, is released. * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[ipod_sun]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Nano 7G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 04427e70689e71bc9db89e57240577ecd1646056 22095 22094 2024-12-16T10:03:18Z User890104 124 /* FAQ */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project aimed at reverse-engineering non-iOS iPods (all models other than the Touch) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod nano (2nd generation), iPod classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod nano (3rd generation) or newer? === Not much (yet) unless you're an embedded developer :). On the 3rd, 4th and 5th generation, we have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[retailOS]]. On the 6th and 7th generation, a font parsing vulnerability (CVE-2010-1797) can be exploited with [[ipod_sun]]. On the 7th generation (and possibly 6th generation), a vulnerability in DFU_DNLOAD packet parsing code can be exploited with [[S5Late]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2024-12-16}} - [[S5Late]], a tethered iPod bootrom/DFU exploit for Nano 7G (and possibly Nano 6G), is released. * {{#dateformat:2023-12-28}} - [[ipod_sun]], a tool that enables code execution on the iPod nano 6th and 7th generation, is released. * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[ipod_sun]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Nano 7G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 1527df8700776bd47cebebcd7393f79a3591b0f0 22107 22095 2024-12-25T22:35:03Z Q3k 6232 /* Updates */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project aimed at reverse-engineering non-iOS iPods (all models other than the Touch) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod nano (2nd generation), iPod classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod nano (3rd generation) or newer? === Not much (yet) unless you're an embedded developer :). On the 3rd, 4th and 5th generation, we have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[retailOS]]. On the 6th and 7th generation, a font parsing vulnerability (CVE-2010-1797) can be exploited with [[ipod_sun]]. On the 7th generation (and possibly 6th generation), a vulnerability in DFU_DNLOAD packet parsing code can be exploited with [[S5Late]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2024-12-25}} - Some of us will be at 38C3 in Hamburg! [https://events.ccc.de/congress/2024/hub/de/project/ipod-nano-hacking-freemyipod/ Come say hi!] * {{#dateformat:2024-12-16}} - [[S5Late]], a tethered iPod bootrom/DFU exploit for Nano 7G (and possibly Nano 6G), is released. * {{#dateformat:2023-12-28}} - [[ipod_sun]], a tool that enables code execution on the iPod nano 6th and 7th generation, is released. * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[ipod_sun]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Nano 7G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} 4ed126b9e1f5cd19d726f86a048aaa0e0ac4c786 22108 22107 2024-12-25T22:35:43Z Q3k 6232 /* Updates */ wikitext text/x-wiki __NOTOC__ [[File:EmCORE_Nano2G_Nano4G_Classic.jpg|280px|thumb|right|[[emCORE]] r779 on [[Nano 2G]], [[Nano 4G]] and [[Classic 2G]]]] This is the wiki for the freemyipod project. Freemyipod is a project aimed at reverse-engineering non-iOS iPods (all models other than the Touch) and creating tools and documentation so that other people can port alternative firmwares to them such as [http://www.rockbox.org rockbox] or Linux. Freemyipod is a relaunch of [[Linux4nano]]. == FAQ == === What can I do with my iPod nano (2nd generation), iPod classic or older iPods? === There's an upstream Rockbox port for these devices. Go use that. === What can I do with my iPod nano (3rd generation) or newer? === Not much (yet) unless you're an embedded developer :). On the 3rd, 4th and 5th generation, we have a stable tethered exploit ([[wInd3x]]) which allows early, untethered and safe (no permanent modification) code execution. This in turn allows you to run [[U-Boot]] and an early [[Linux|Linux port]] or experiment with reverse-engineering/modifying the original firmware, [[retailOS]]. On the 6th and 7th generation, a font parsing vulnerability (CVE-2010-1797) can be exploited with [[ipod_sun]]. On the 7th generation (and possibly 6th generation), a vulnerability in DFU_DNLOAD packet parsing code can be exploited with [[S5Late]]. There's a set of earlier tooling ([[emCORE]]/[[emBIOS]]/[[iBugger]]) which was exploiting other vulnerabilities and was a lead-up to a port of Rockbox, but it's mostly abandoned. == Getting an account == Due to spambots, registration is closed. For an account contact [[User:User890104|User890104]] or [[User:Q3k|q3k]]. ==Updates== * {{#dateformat:2024-12-25}} - Some of us will be at 38C3 in Hamburg! [https://events.ccc.de/congress/2024/hub/en/project/ipod-nano-hacking-freemyipod/ Come say hi!] * {{#dateformat:2024-12-16}} - [[S5Late]], a tethered iPod bootrom/DFU exploit for Nano 7G (and possibly Nano 6G), is released. * {{#dateformat:2023-12-28}} - [[ipod_sun]], a tool that enables code execution on the iPod nano 6th and 7th generation, is released. * {{#dateformat:2023-01-07}} - [https://social.hackerspace.pl/@q3k/109655916469636189 A preliminary U-Boot port to the Nano 5G has been developed.] * {{#dateformat:2022-01-04}} - The bootrom of iPod Nano 5G was successfully dumped, and is in the process of being reverse-engineered! * {{#dateformat:2021-12-31}} - An exploit named wInd3x, which exploits the latest vulnerability, is being prepared for Nano 4G and Nano 5G. * {{#dateformat:2021-12-27}} - A new vulnerability was discovered in iPod Nano 4G and Nano 5G bootrom, which allows arbitrary code execution! * {{#dateformat:2018-08-25}} - The website software has been updated to MediaWiki 1.31 after about 2 months of downtime. <!-- * {{#dateformat:2016-06-17}} - The freemyipod project is becoming deprecated, as parts of the code is slowly being integrated in Rockbox. It is likely that no future development on the freemyipod project will take place. Essential parts of emCORE helped building a Rockbox bootloader for iPod Classic, and any future development will take place in the Rockbox project. * {{#dateformat:2014-03-26}} - A bug that prevented [[emCORE]] installations on certain Windows configurations (getting stuck on "Booting UBI file..."), has been finally fixed! If the installation has failed for you before, you can retry it using the updated version of our tool (use the iTunes method for now). * {{#dateformat:2012-01-02}} - There have been some problems with the latest release. A hotfix release ([[EmCORE_Releases/r859|r859]]) has been published to fix some of these problems. iPod nano 2g users are advised to upgrade. See the [[EmCORE_Releases/r859|release details page]] for more information. * {{#dateformat:2012-01-01}} - A new release <s>([[EmCORE_Releases/r855|r855]])</s> is out! It includes a couple of new features, several bugfixes and a new bootmenu theme! More information on the <s>[[EmCORE_Releases/r855|release details page]]</s>. * {{#dateformat:2011-04-25}} - The [[emCORE]] kernel now runs on the iPod Touch 2G as well, thanks to the help of kleemajo. This is of course not a fully functional port yet, but we'll see how it continues. It's about the same state as the iPod Nano 4G now. /7 * {{#dateformat:2011-03-25}} - [[emCORE]] is replacing [[emBIOS]] completely now. Therefore [[emBIOS]] will be deprecated software as of now! All emBIOS users are advised to upgrade to emCORE including people using iLoader 0.2.2 or less. More detailed update instructions will follow! * {{#dateformat:2011-01-08}} - The Rockbox port for the iPod Classic is slowly getting usable. Most of the blocking issues have been fixed. The first-generation 160GB model still doesn't work, and some people are experiencing slightly garbled display contents. * {{#dateformat:2011-01-04}} - There is an early Rockbox port for the iPod Classic! It still isn't quite usable, playback stutters etc., but if you want to play around with it, here are some quick'n'dirty notes on the installation procedure: [[IPod Classic iLoader Installation]] * {{#dateformat:2010-11-22}} - We now have emBIOS support for the iPod classic 1g, the others might follow soon * {{#dateformat:2010-08-29}} - We're proud to announce the release of [[emBIOS]] v0.1.0 and [[iLoader]] v0.2.0! * {{#dateformat:2010-08-26}} - [[iLoader]], its installer and uninstaller all have been fully ported to [[emBIOS]] now. A beta release will be coming soon! * {{#dateformat:2010-08-13}} - [[emBIOS]] is continually being improved and the next step is porting tools like [[iLoader]] to use it. * {{#dateformat:2010-08-06}} - The wiki has now been moved to www.freemyipod.org * {{#dateformat:2010-08-05}} - Recently we've been working on a hardware abstraction project called [[emBIOS]]. Follow development [http://websvn.freemyipod.org/listing.php?repname=freemyipod&path=/embios/ here] * {{#dateformat:2010-08-03}} - We can now access the Nano 4G accelerometer. * {{#dateformat:2010-08-02}} - serpilliere managed to decrypt the NOR flash on the [[Nano 3G]]. * {{#dateformat:2010-08-01}} - serpilliere managed to access and dump the NOR flash on the [[Nano 3G]]. This code could possibly work on the Classics. * {{#dateformat:2010-07-27}} - The server got zapped by lightning but a new one was up and running within a day. * {{#dateformat:2010-02-23}} - We can now execute code on everything besides the [[Nano 5G]]! Minimalistic iBugger working on [[Nano 3G]]! * {{#dateformat:2009-11-01}} - iBugger core v0.1 successfully running on [[Nano 4G]]! [http://img217.imageshack.us/img217/4122/img0969.jpg] --> Follow [http://twitter.com/freemyipod our Twitter feed] to get status updates automatically. See the [[Status]] page for more detailed information. Check our [[ Special:Code/freemyipod|SVN activity ]] page for the latest changes to our source code. {| cellspacing="3" width="100%" |- valign="top" |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Project info=== * [[ Status ]] * [[ Contact ]] * [[ Contributing ]] ===Released Software=== * [[wInd3x]] * [[ipod_sun]] * [[U-Boot|U-Boot port]] * [[Linux|Linux port]] * Legacy: ** [[iBugger]] ** [[iLoader]] ** [[emCORE]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Basic skills=== * [[Working with binaries]] * [[Dumping firmware]] * [[Extracting firmware]] * [[Firmware downgrading]] * [[Troubleshooting]] ===Reverse engineering results=== * [[Firmware]] ** [[Bootrom]] ** [[Boot Process]] ** [[Firmware decryption]] ** [[FTL|Flash Translation Layer]] ** [[RetailOS]] *** [[RetailOS Options]] * [[GUID table]] * [[JTAG]] * Nano 2G ** [[Nano2G clock gates‎]] ** [[Nano2G LCD init]] ** [[Nano2G HW analysis]] ** [[S5L8701 analysis]] * Nano 4G ** [[Nano4G firmware upgrade process]] * Nano 5G ** [[Nano 5G|General]] ===Other guides=== * [[Modes]] |style="border: 1px dashed #c6c9ff; background-color: #f0f0ff"| ===Hardware=== * [[Hardware]] ** [[Nano 1G]] ** [[Nano 2G]] ** [[Nano 3G]] ** [[Nano 4G]] *** [[920-0614-03]] ** [[Nano 5G]] ** [[Nano 6G]] ** [[Nano 7G]] ** [[Classic 1G]] ** [[Classic 2G]] ** [[Classic 3G]] * [[Chronology]] * [[S5L8700 datasheet]] ===Exploiting=== * [[wInd3x]] * [[Pwnage 2.0]] * [[Notes vulnerability]] ** [[Address bruteforcing]] ** [[Nanotron 3000]] |} fc98a29d910859538f92ab49babfc4fe8bddf7ea 0 6449 22087 22083 2024-08-04T04:41:50Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 reword wikitext text/x-wiki {{DISPLAYTITLE:osos/disk swapping bug}} [[File:Disk swap visualization.png|thumb|right|Simplified visualization of the boot logic of an iPod nano (6th generation)]] The osos/disk swapping bug is a bug in the boot process of the iPod nano (3rd generation and later) allowing for untethered boot of the [[retailOS]] with a modified resource partition. == Explanation == In the firmware, the retailOS is stored in the <code>osos</code> partition, and disk mode is stored in the <code>disk</code> partition. The retailOS on the iPod nano reads from from the <code>rsrc</code> partition, a FAT16 filesystem containing UI images, translation strings, fonts, and more. Unlike all other partitions ever included in official firmware, the <code>rsrc</code> partition is signed, but not encrypted. The disk mode does not use the <code>rsrc</code> partition. When the device is powered on, it decides whether to boot into disk mode or retailOS based on whether a button is pressed (on the iPod nano (6th generation), this is the Volume Up button). The basic logic is this: if volume up pressed: boot "disk" else: if "rsrc" signature check passed: boot "osos" else: error out If the firmware is modified so that the <code>disk</code> and <code>osos</code> partitions are swapped - that is, the names of the two partitions are switched - the behavior reverses, meaning the iPod will boot into disk mode by default and retailOS if the volume up button is held. This is where the bug exists: if the iPod is booted with the volume up button pressed, the iPod, expecting to boot disk mode, will boot into retailOS without performing a signature check on <code>rsrc</code>. == Notes == On at least the iPod nano (6th generation), booting <code>osos</code> this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot. 0e9349eca9030cc23b1fb6a559d025bf4e23b33e 22088 22087 2024-08-04T04:42:23Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 wikitext text/x-wiki {{DISPLAYTITLE:osos/disk swapping bug}} [[File:Disk swap visualization.png|thumb|right|Simplified visualization of the boot logic of an iPod nano (6th generation)]] The osos/disk swapping bug is a bug in the boot process of the iPod nano (3rd generation and later) allowing for untethered boot of the [[retailOS]] with a modified resource partition. == Explanation == In the firmware, the retailOS is stored in the <code>osos</code> partition, and disk mode is stored in the <code>disk</code> partition. The retailOS on the iPod nano reads from from the <code>rsrc</code> partition, a FAT16 filesystem containing UI images, translation strings, fonts, and more. Unlike all other partitions ever included in official firmware, the <code>rsrc</code> partition is signed, but not encrypted. The disk mode does not use the <code>rsrc</code> partition. When the device is powered on, it decides whether to boot into disk mode or retailOS based on whether a button is pressed (on the iPod nano (6th generation), this is the Volume Up button). The basic logic is this: if volume up pressed: boot "disk" else: if "rsrc" signature check passed: boot "osos" else: error out If the firmware is modified so that the <code>disk</code> and <code>osos</code> partitions are swapped - that is, the names of the two partitions are switched - the behavior reverses, meaning the iPod will boot into disk mode by default and retailOS if the volume up button is held. This is where the bug exists: if the iPod is booted with the volume up button pressed, the iPod, expecting to boot disk mode, will boot into retailOS without performing a signature check on <code>rsrc</code>. == Notes == On at least the iPod nano (6th generation), booting retailOS this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot. 63c35c8e82e78f3876e79929600f4ccad813454a 0 6431 22090 21971 2024-08-04T23:55:31Z 760ceb3b9c0ba4872cadf3ce35a7a494 6233 lowercase display title wikitext text/x-wiki == wInd3x Vulnerability == {{DISPLAYTITLE:wInd3x}} A [[S5L8720 Bootrom|Bootrom]] vulnerability discovered and exploited by [[User:Q3k|q3k]] in December 2021. It allows code execution in the bootrom over USB. === Affected Devices === {| class="wikitable" |- ! Device/SoC !! Vulnerable? !! Exploited? |- | [[Nano 3G]] || Yes || Yes |- | [[Nano 4G]] || Yes || Yes |- | [[Nano 5G]] || Yes || Yes |- | [[Nano 6G]] || No || |- | [[Nano 7G]] || No || |- | Classic “6G” || Yes || Yes |- | iPhone || ? || |- | iPhone 3G || Yes || No |} === Running / Usage === wInd3x currently allows you to: # Decrypt [[IMG1]] files, like [[OSOS]] or the bootloader/[[WTF]]/... # Access arbitrary memory and experiment with peripherals # Run unsigned DFU payloads # Run an unsigned [[OSOS]] or [[U-Boot]] by first running an automatically patched [[WTF]]. For guides, see [https://github.com/freemyipod/wInd3x github.com/freemyipod/wInd3x] === Vulnerability === This exploits a vulnerability in the standard SETUP packet parsing code of the bootrom, in which the wIndex parameter is not checked for bmRequest == {0x20, 0x40}, but is still used to index an array of interface/class handlers (that in the Bootrom has a length of 1). ==== Nano 4G and 5G Exploit Chain ==== The first requirement is to find a suitable (blx r0) instruction in the bootrom code of the device. For Nano 4G the only one such instruction is at offset 0x3b0, and for Nano 5G there is such instruction at 0x37c. We'll refer to it as X below. We abuse the fact that wIndex == 3 for bmRequest 0x40 treats a 'bytes left to sent over USB' counter as a function pointer and calls it with r0 == address of SETUP. We massage the DFU mode into attempting to send us X+0x40 bytes, and failing after 0x40 bytes, thereby leaving the counter at X bytes and executing code at address X. Since the bootrom is mapped at offset 0x0 as well as 0x20000000 at boot, this means we execute bootrom code, and X happens to point to a 'blx r0' instruction. This in turn causes the CPU to interpret the SETUP packet received as ARM code, because the SETUP handler is called with the SETUP packet as its argument, i.e. r0. We specially craft the SETUP packet to be a valid ARM branch instruction, pointing somewhere into a temporary DFU image buffer. By first sending a payload as a partial DFU image (aborting before causing a MANIFEST), we finally get up to be able to execute either 0x800 on Nano 4G or 0x400 on Nano 5G bytes of fully user controlled code. In that payload, we send a stub which performs some runtime changes to the DFU's data structures to a) return a different product string b) overwrite an image verification vtable entry with a function that allows unsigned images. Some SRAM is carved out by this pay ==== Nano 3G and Classic (”6G”) ==== With bRequestType == 0x20 and wIndex == 6 we directly jump to code execution at the SETUP packet. This Bootroom does not have a VTable which can be easily hooked to override functions to provide Haxed DFU functionality. However, an 'OnImage' function pointer is present in the State structure, which we override with our own code (copied to carved out SRAM). This code reimplements the bare minimum of the hooked function, without calling any decryption/verification code on the header/body. 95b64448a44389b881c22c21308d96bbe30f69a6 0 6451 22093 2024-12-16T09:28:06Z User890104 124 Created page with "Tethered iPod bootrom/DFU exploit. Currently only supports Nano 7G, to support Nano 6G offsets need to be updated. https://github.com/m-gsch/S5Late" wikitext text/x-wiki Tethered iPod bootrom/DFU exploit. Currently only supports Nano 7G, to support Nano 6G offsets need to be updated. https://github.com/m-gsch/S5Late 1ddfe08d34c4df9e0d39f9148ecba4a8df5e2e3e 6 6452 22096 2024-12-20T01:06:27Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6453 22097 2024-12-20T01:14:19Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6454 22098 2024-12-20T01:14:56Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6455 22099 2024-12-20T01:16:14Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6456 22100 2024-12-20T01:16:47Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6457 22101 2024-12-20T01:17:31Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6458 22102 2024-12-20T01:21:23Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6459 22103 2024-12-20T01:22:05Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 6 6460 22104 2024-12-20T01:29:12Z User890104 124 wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 0 6461 22105 2024-12-20T01:30:32Z User890104 124 Created page with "[[File:MC531.jpeg|200px|thumb]] The Apple Camera Connection Kit is a 30-pin accessory, mainly for iPads. It exposes either a USB-A port, or a SD card slot. Its intended purpo..." wikitext text/x-wiki [[File:MC531.jpeg|200px|thumb]] The Apple Camera Connection Kit is a 30-pin accessory, mainly for iPads. It exposes either a USB-A port, or a SD card slot. Its intended purpose is to allow users to transfer photos from their digital cameras, to their iPad's Photos app. The original product was sold as a bundle of two adapters, one of them being a 30-pin to USB-A converter, and the other 30-pin to SD card converter. There are chinese clones available, for example LDNIO DL-P301. They usually provide both interfaces on the same device. [[File:CREADDF14209_2_680x680.png|x300px]] [[File:Images1000x700.png|x300px]] Here is a disassembly of one such clone. [[File:IMG 20241219_224646.jpg|300px]] [[File:IMG_20241219_230639.jpg|300px]] [[File:IMG_20241219_230616.jpg|300px]] [[File:20241219_173423.jpg|450px]] [[File:20241219_173406.jpg|450px]] The pinout is as follows: * 1 - GND * 11 - Serial GND * 12 - Serial TX * 13 - Serial RX * 15 - GND * 16 - USB GND * 18 - 3.3V power * 21 - Accessory selection * 25 - USB D- * 27 - USB D+ * 29 - FireWire GND * 30 - FireWire GND Since pin 23 is not used, a boost converter can be found on the device, to convert from 3.3V to 5V for powering the USB device. Keep in mind that the current is limited, so power-hungry devices enter a restart loop. Markings: * Q1: A1SHB * U3: 10A45 * U2 is deliberately sanded down and not readable R5 is measured as 547.4kΩ. It is connected between pin 21 and the ground plane. It signal the type of accessory connected. Attempting to connect the device to an unsupported iOS device, shows the appropriate message. [[File:-2147483648_-216575.jpg|300px]] References: https://theapplewiki.com/wiki/30-pin_Connector https://www.macworld.com/article/205095/ipad_camera_connection_kit.html https://www.downtowndougbrown.com/2017/05/connecting-an-ios-device-to-an-ethernet-network/ https://www.ifixit.com/Teardown/iPad+Camera+Connection+Kit+-+SD+Card+Adapter+Teardown/4129 https://www.flickr.com/photos/omegatron/albums/72157627862038757/ 78018bfc1a371b258d0dd6a3278f103104a773e8 0 6443 22106 22074 2024-12-23T01:10:32Z Q3k 6232 wikitext text/x-wiki The 920-0614-03 is seemingly a development/prototype iPod Nano 4G (or possibly iPod Touch 2G board?). It appeared on a bunch of eBay auctions around September 2023. == Specs == '''SoC''': S5L8720 '''Flash''': Usually desoldered '''DRAM''': To be checked == UART == The boards has at least two ways to access UART: # Over DE9 connector. # Over USB/Serial bridge. # Over 30-pin connector. '''TODO''': Figure out which serial is which, and document reanimating DE9/USB. == Power == The board runs from either the 30-pin connector by itself (although it can sometimes be unstable) or from 5V over a DC power jack (which provides a 4v-ish supply which simulates the devices' battery). == JTAG == [[JTAG]] is available over the 30 pin connector, but is also seemingly locked out as on production devices. == Getting code to run == [[wInd3x]] works on the device. On devices without Flash attempting to run the standard WTF causes a reset. == Differences from production device == === CHIPID === Different CHIPIDL/H values are present in the CHIPID peripheral: {| class="wikitable" |- ! SoC !! CHIPIDL (<code>0x3d100_0004</code>) !! CHIPIDH (<code>0x3d100_0008</code>) |- | Nano 4G || <code>19000011</code> || <code>8720000f</code> |- | 920-0614-03 || <code>11000001</code> || <code>8720180f</code> |} Effects: # <code>CHIPIDL & 0x10 == 0</code>: The BootROM accepts an additional top-level serial: 0x01 0xFB '''0x00''' 0xFB in addition to the standard 0x01 0xFB '''0x01''' 0xFB # <code>CHIPIDL & (1 << 27) == 0</code>: The WTF's ChipID[2] function returns 2 instead of 3 in second argument. == Pins == As the board has clearly labeled and accessible GPIO pins / configuration straps, it's a good candidate to reverse engineer pin functionality as used in the production device. {| class="wikitable" |- ! S5L8720 GPIO !! Function on board |- | 91 || 'DFU' button |- | 5 || DB9 UART TX (J9204) |} == Case == Protective case design: https://www.printables.com/model/628404-920-0614-03-ipod-nano-4g-prototype-case e2b9049d1b93ab4f8fa4f77d076c4cdcca385bb6